If you have a WordPress site, you should know that there is an XSS vulnerability affecting multiple WordPress plugins and themes. This is caused by a common code pattern used in WordPress plugins and themes available from ThemeForest and CodeCanyon, the wordpress.org website and other sources. This is major because someone can use this vulnerability to execute a malicious attack on your website which is a headache most of us don’t want to deal with. So far, there is no evidence that suggests the vulnerability is being actively exploited by anyone. However, this issue is not limited to themes and plugins purchased from ThemeForest or CodeCanyon.
To date, this is the list of some of the affected plugins:
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
There are likely more plugins affected but only time will tell exactly what other ones have been affected. Just a reminder before the panic begins— all software will have bugs of some kind and some of those bugs will inevitably lead to security vulnerabilities one way or another. We live in a technological world so bugs are to be expected. Individual authors of specific themes have been asked to update their code accordingly to fix any vulnerabilities’ within the code itself by issuing a new updated theme, free of bugs.
Anyone using a WordPress website, regardless of where the theme or plugin was sourced, needs to be aware of this and take immediate action to ensure it is secure. The first step needed to be taken is to periodically check for updates to your WordPress theme or plugins and apply those immediately. If you are unsure of what you are doing, have an experienced WordPress developer check whether or not your site is affected. If you are a customer of ours please rest assured that we are constantly monitoring your site for updates.