It has come to our attention that there is a Cross-site Scripting (XSS) vulnerability, that is currently affecting a variety of WordPress Themes and plug-ins. According to https://marketblog.envato.com/news/wordpress-item-security-vulnerability/
It appears that this vulnerability has been caused by common code pattern add_query_arg() and remove_query_arg(), used in WordPress plugins and themes available from ThemeForest and CodeCanyon, the wordpress.org website and other sources.
If you use a WordPress website, regardless of where you have purchased the themes or plug-ins from, it is important that you are aware of these potential security issues, and take action to secure your website.
Daniel Sid of Sucuri advises that the current affected plug-ins to date are:
To date, this is the list of affected plug-ins:
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
Although there may be more affected plug-ins that haven’t been included in this list.
If you use WordPress as your CMS, then now is the time to update your plug-ins. Daniel Sid also offers some advise on his blog about ways to ensure that your website stays secure in the future:
- Patch. Keep your sites updated.
- Restrict. Restrictive access control.Restrict your wp-admin directory to only white listed IP Addresses. Only give admin access to users that really need it. Do not log in as admin unless you are really doing admin work. These are some examples of restrictive access control policies that can minimize the impact of vulnerabilities in your site.
- Monitor. Monitor your logs.They may give you clues to what is happening on your site.
- Reduce your scope. Only use the plugins (or themes) that your site really needs to function.
- Detect. Prevention may fail, so we recommend scan your site for indicators of compromise or outdated software. Our plugin and Sitecheck can do that for free for you.
- Defense in Depth. If you have an Intrusion Prevention System (IPS) or Web Application Firewall (WAF), they can help block most common forms of XSS exploits. You can even try our own CloudProxy to help you with that. If you like the open source route, you can try OSSEC, Snort and ModSecurity to help you achieve that.
The make WordPress Plug-ins site has an in-depth write up on how to check and mend your plug-ins.
It is important to ensure that your website is kept up to date, so as to protect it from any security issues like this in the future.
If you are a customer of Divine Aesthetic and you hold a maintenance package with us then rest easy, because we are making all necessary updates to ensure that your website is secure. If you do need any help, or have any questions in regards to your WordPress website security, then please do not hesitate to contact us. We would be happy to help.[/vc_column_text][/vc_column][/vc_row]