Here are some of most common WordPress Plugins have XSS security vulnerabilities need to update immediately. Let’s check and fix in as soon as possible.
Last week, security firm Sucuri has discovered that a large number of WordPress plugins have security vulnerabilities (XSS Vulnerability) allowing hackers access to websites running outdated versions of these plugins. After worked with the WordPress core security team, They have listed 17 WordPress Plugins Have Security Vulnerabilities need to update for a WordPress website. This is not means a complete list vulnerable Plugins to Cross-site Scripting but it is popular plugins used by many webmasters.
List Plugins Have Security Vulnerabilities:
The main issue are wrong usage of
Patched security vulnerability with use of add_query_arg (https://codex.wordpress.org/Function_Reference/add_query_arg) reported by Joost de Valk
The security issue that Gravity Forms have patched is minor and not something that can be exploited without the user having admin access to your WordPress Dashboard. However, this may not be the case with the many other plugins that may be impacted.
Easy Digital Downloads update resolves a security vulnerability due to improper usage of the add_query_arg() function, there were several locations in Easy Digital Downloads that were possibly susceptible to Cross-site Scripting attacks.
In UpdraftPlus, the danger is as follows: an attacker would need to a) send you a specially crafted link, and b) persuade you to click on it, on a computer on which you are also logged in to the WordPress dashboard on your site, with admin privileges. If you clicked on that link, then the attacker could run code in your dashboard page one time (i.e. not persistent – it won’t remain in your dashboard), performing UpdraftPlus administrative actions (e.g. download a backup, run a backup, delete a backup). We do not believe that there is a way for an attacker to upload and restore their own backup. (i.e. They cannot modify your site through injecting and restoring their own backups).
Fix potential reflexive XSS issue with add_query_arg() and remove_query_arg() usage. Update is highly recommended.
Fixed: add_query_arg/remove_query_arg vulnerability
Download Monitor WordPress Plugin and Related Posts for WordPress have this vulnerability in the WordPress backend meaning the XSS vulnerability could only be exploited if a logged in user would click a malicious link while being logged in.
If you’re currently running any version in the 2.3.x branch of My Calendar, your site is vulnerable. If you’re on an older version of My Calendar, you are not vulnerable to this security issue, but you may be vulnerable to a security issue I fixed in version 2.3.10.
Security update: Escape URLs returned by add_query_arg and remove_query_arg
Security: Hardened URLs with esc_url() across the plugin core
Fixed a serious CSRF/XSS vulnerability.
The vulnerability only affected pages within the wp-admin. That means that a user would need to be logged-in as an admin before they could do anything malicious.