This is vulnerability is one of the more serious ones and allows anonymous users to compromise your WordPress site if it’s not patched up. This XSS vulnerability takes advantage of the incorrect usage of the add_query_arg() and remove_query_arg() functions which are widely by many plugin developers to modify the query strings to URLs within WordPress.
Some of the more popular plugins that were affected are:
- Jetpack
- WordPress SEO
- Google Analyticcs (by Yoast)
- All-In-One-SEO
- Gravity Forms
- UpdraftPlus
- WP-E-Commerce
- WPTouch
- Download Monitor
- My Calendar
- P3 Profiler
- Related Posts for WordPress
- Broken-Link-Checker
- Ninja Forms
- Multiple iThemes plugins & themes
- Mulitple Plugins from Easy Digital Downloads
This XSS vulnerability is serious enough for WordPress team to update the WordPress core for the previous versions – TWICE.
WordPress version 3.8.x was updated to 3.8.6 and then to 3.8.7
WordPress version 3.9.x was updated to 3.9.4 and then to 3.9.5
WordPress version 4.0.1 was updated to 4.0.2 and then to 4.0.3
And WordPress 4.1.x was updated to 4.1.2 and then to 4.1.3
For more detailed/technical info about this vulnerability, please check out:
https://wordpress.org/news/2015/04/wordpress-4-1-2/
https://yoast.com/coordinated-security-release/