Security Vulnerability Affecting WordPress Plugins and Themes


#1

A security issue was announced today that affects many WordPress plugins and themes and which requires your attention.

Plugin and Theme Authors

Your item will be affected if you use any of the following:

  • add_query_arg()
  • remove_query_arg()
  • TGM Plugin Activation class

There is a small chance that your item will be affected if you are using the Redux or OptionTree frameworks. We are working to confirm this.

What you should do

  • Core Functions
    If you use the add_query_arg() and/or remove_query_arg() functions in your plugin or theme, you need to make sure that you are escaping these functions properly, as outlined on the Make WordPress site.
  • TGM Plugin Activation class
    If you use the TGM Plugin Activation class, then you need to update your item to include version 2.4.2. Previous advice was to use 2.4.1, which addressed the security concerns, but which had a problem with the bulk installer. This has been fixed in 2.4.2.
  • OptionTree
    If you use OptionTree, then although this does use add_query_arg and remove_query_arg, we are confident that none of the instances can be exploited. There will be an update that escapes these functions in future that you should include in your item, but you should not delay updating your items waiting for this.
    UPDATE: Version 2.5.4 of this plugin has been released and is now available from the WordPress plugin directory. This version escapes all instances of the functions and also fixes the term splitting issue for WordPress 4.2 (due to released very soon). Please update your items to use this version.
  • Redux
    If you use Redux, it also uses these functions. Most are escaped appropriately, but we have a couple of questions and have reached out the author. We will be providing you with more information very soon.
    UPDATE: There was a minor issue with Redux, which has been fixed in version 3.5.4, now available from the WordPress plugin directory. Please update your items to use this version.
  • Plugins Included With Themes
    Theme Authors: If you have included any affected third-party plugins, we will be emailing you in the coming days so that you can update your theme. In the meantime, you may want to periodically check the plugins you’ve included and see whether these have been updated.

Note: When submitting an update that addresses these issues, please include a note mentioning that this is related to the XSS vulnerability. This will allow us to prioritise the review of the updates.

Buyers

We are currently evaluating all WordPress items sold through Envato Market. Once we have done this, we will notify you if you have purchased an item that is affected. We do not have an exact timeframe for this yet, but we are treating this as a priority and will be keeping you up to date via this forum thread.

In the meantime, the best advice is to periodically check for updates to the theme and plugins you are using and apply any updates as soon as possible.

For more information see

  • https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
  • https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage/
  • http://wptavern.com/xss-vulnerability-affects-more-than-a-dozen-popular-wordpress-plugins
  • https://poststatus.com/coordinated-plugin-updates-to-address-security-vulnerability-in-many-popular-wordpress-plugins/

Note

This has been cross-posted on both the CodeCanyon and ThemeForest forums and updates will be given in both places. Here is the ThemeForest entry.


#2

Will the author be notified first? I am currently checking my own plugins for any areas where I may have missed the esc_url function, but I definitely do not want to cause a panic frenzy among users before I am able to get the update out.


#3

@StephenCronin: This information is not entirely accurate.

Problem with add_query_arg() function is only in one case, if you use this function without setting the URL. If the URL in this function is not set, it will use URL from $_SERVER global and that is potentially what is dangerous. If the function sets URL on it’s own, than there is no problem. I use this function in some of my plugins, and in all cases I provide URL to this function (third argument) so it is not getting URL from $_SERVER global and it is not vulnerable.

Example from my plugin:

$url = add_query_arg(‘w’, $week->week, get_year_link($week->year));

This is safe way, since the third argument is properly generated and safe URL. If I were to have:

$url = add_query_arg(‘w’, $week->week);

That would be vulnerable use of this function.

So, if you start disabling plugins that use this function without deeper understanding how the function is used, you will create chaos among authors and buyers, and if you disable plugin that should not be disabled it would be very bad thing. My suggestion is that if you contact authors of the plugins you suspect have a problem, and discuss this first and leave some time to the authors to fix this.

Milan


#4

At this stage, we are just making people aware that there is an issue, so that authors can check their items and update if necessary and so that buyers can check for any updates they need to process. We’ll provide further details on the plan tomorrow (it’s 1am here).

@GDragoN - we understand that. We say “you need to make sure that you are escaping these functions properly, as outlined on the Make WordPress site” - that site explains when they need to be escaped (when the URL is left out, when it is printed to page, etc).

That said, I know many authors across the WordPress ecosystem are choosing to escape, even when they don’t actually have to, just to reduce any doubt. And from a practical point of view escaping will make it quicker for us to clear your plugin! :slight_smile: If in doubt - escape.

Also, note that at this stage, we have not talked about disabling plugins. That may be a path we take for items that do have an exploitable vulnerability, but at this stage it’s about getting authors to check their item and make buyers aware to process any updates.


#5

Further information regarding Redux has been added to the original post, as follows:

UPDATE: There was a minor issue with Redux, which has been fixed in version 3.5.4, now available from the WordPress plugin directory. Please update your items to use this version.


#6

Hi All,

I just updated the original post with the following:

OptionTree
If you use OptionTree, then although this does use add_query_arg and remove_query_arg, we are confident that none of the instances can be exploited. There will be an update that escapes these functions in future that you should include in your item, but you should not delay updating your items waiting for this.
UPDATE: Version 2.5.4 of this plugin has been released and is now available from the WordPress plugin directory. This version escapes all instances of the functions and also fixes the term splitting issue for WordPress 4.2 (due to released very soon). Please update your items to use this version.

#7

Hi All,

I just updated the original post with the following information about TGM PA:

UPDATE: Version 2.4.1 of TGM Plugin Activation has been released and can be downloaded from this page. Please update your items to use this version.

This seems to fix the bulk install issue as well, although I haven’t extensively tested it.

This is the version you should be using (ie it is the official release). If you have updated your item already to use a secure version, then there is no immediate need to update to this version - although it makes sense as this is likely to be more stable.

Cheers,
Stephen


#8

Yippie, so some of the "top" authors are finally forced to update their super super old and compatibility breaking versions of TGM.


#9

Hi All,

Really sorry about this, but TGM PA have had to delete the new version I posted about last time and create another one. I just added this update to the original post:

UPDATE2: The previous update contained a link to a release that has now been removed (as it was built from develop not master). Here is the correct link for version 2.4.1.


#10

It is helpful if someone has a lot of changes in the code:

http://smartik.ws/2015/04/safe-add_query_arg-and-remove_query_arg/


#11

Hi All,

I’ve updated the original post to say the following for TGM PA:

TGM Plugin Activation class

If you use the TGM Plugin Activation class, then you need to update your item to include version 2.4.2. Previous advice was to use 2.4.1, which addressed the security concerns, but which had a problem with the bulk installer. This has been fixed in 2.4.2.