XSS vulnerability affects a lot of popular WordPress plugins
For the past week, security firm Sucuri has worked with the WordPress core security team to address a cross site scripting vulnerability discovered in more than a dozen popular WordPress plugins. The vulnerability stems from the improper use of the add_query_arg() and remove_query_arg() functions. Inaccurate information within the WordPress Codex lead many developers to assume these functions would properly escape user input.
The following plugins are affected and should be updated immediately:
- WordPress SEO
- Google Analytics
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- WP e-Commerce
- Download Monitor
- P3 Profiler
- iThemes Exchange
- Ninja Forms
- Aesop Story Engine
- My Calendar
Maybe more plugins are affected. Please make sure you keep all plugins and you WordPress theme updated.
For more info about the vulnerability read the article at Sucuri.