Today a coordinated security patch release has been done for many WordPress plugins including several of my plugins. Due the amount of posts that will be published regarding this release I’ll just focus on my plugins and what action is required from the user’s end.
Several of my plugins used
add_query_arg without escaping the output resulting in an XSS vulnerability. All of my plugins only had this vulnerability in the WordPress backend meaning the XSS vulnerability could only be exploited if a logged in user would click a malicious link while being logged in. If you wish to read more on the security issue and how you can prevent it, I recommend you read this article by Sucuri.
Updates for premium plugins will be automatically available if you’ve entered your license key in your WordPress backend. Please contact me via one of the links below if you’ve got any questions regarding updating your premium plugin. The following plugins I develop have been affected by this security issue and have patched updates available, thanks to the WP security team for helping coordinate this.
|Plugin||Secure version||Auto updated|
|Related Posts for WordPress||1.8.2||Yes|
|Related Posts for WordPress Premium||1.3.4||No|
|Post Connector Premium||1.6.4||No|
* Download Monitor received 2 automatic updates. Both 1.7.1 and 1.6.5 are patched secure versions.
Above listed plugin updates should be available in your WordPress backend at this moment and for some of the plugins might already have been updated for you.
If you have any questions regarding these updates please don’t hesitate to send me an email:
- Send me an email regarding Related Posts for WordPress
- Send me an email regarding Download Monitor
- Send me an email regarding Post Connector