Welcome to Centmin Mod Community
Become a Member

Wordpress Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins

Discussion in 'Blogs & CMS usage' started by eva2000, Apr 21, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    8:01 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    According to Sucuri, a massive co-ordinated update for dozens of Wordpress plugins which are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions.

    So update your Wordpress plugins ASAP !

    You can easily use a shell script to auto update wordpress every 8 hours = 3 times a day if you have WP-CLI addon/tool installed.


    change EMAIL and WPINSTALL_DIR variables to your email and your wordpress install directory

    save to say /root/tools/wpupdater.sh - I commented out 2 lines which update the wp core and database, uncomment if you want to auto update wp core and database too
    Code:
    #!/bin/bash
    PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/bin
    EMAIL='youremail@address.com'
    WPINSTALL_DIR='/home/nginx/domains/newdomain2.com/public'
    
    {
    cd $WPINSTALL_DIR
    echo "$WPINSTALL_DIR"
    /usr/bin/wp cli update --allow-root
    /usr/bin/wp plugin status --allow-root
    /usr/bin/wp plugin update --all --allow-root
    #/usr/bin/wp core update --allow-root 
    #/usr/bin/wp core update-db --allow-root
    } 2>&1 | mail -s "Wordpress WP-CLI Auto Update `date`" $EMAIL
    give permissions
    Code:
    chmod 0700 /root/tools/wpupdater.sh
    use crontab -e to add the following cronjob

    Code:
    0 */8 * * * /root/tools/wpupdater.sh 2>/dev/null
    exit crontab and save via CTRL+X

    sample email I got
    Code:
    /home/nginx/domains/newdomain2.com/public
    Success: WP-CLI is at the latest version.
    33 installed plugins:
      A wp-security-scan                4.0.5
      I addthis-smart-layers            1.0.10
      I akismet                         3.1.1
      A autoptimize                     1.9.2
      I backupwordpress                 3.2.4
      I db-cache-reloaded-fix           2.3
      A disable-xml-rpc                 1.0.1
      I go-newrelic                     0.3
      A google-analytics-for-wordpress  5.3.3
      I google-authenticator            0.47
      A gtmetrix-for-wordpress          0.4.1
      I hello                           1.6
      A jetpack                         3.4.1
      A limit-login-attempts            1.7.1
      A no-longer-in-directory          1.0.39
      A p3-profiler                     1.5.3.8
      I query-monitor                   2.7.1
      I recent-tweets-slider            1.0.1
      A rocket-lazy-load                1.0.3
      I search-regex                    1.4.15
      A sucuri-scanner                  1.7.8
      A theme-check                     20141222.1
      A tpc-memory-usage                0.9.1
      A updraftplus                     1.9.63
      I w3-total-cache                  0.9.4.1
      A wordpress-seo                   2.0.1
      A wp-optimize                     1.8.9.10
      A wp-smushit                      1.7.1.1
      A wp-super-cache                  1.4.4
      A wp-super-cache-clear-cache-menu 1.3.1
      A wp-updates-notifier             1.4.1
      A wp-widget-cache                 0.26
      M p3-profiler
    
    Legend: A = Active, I = Inactive, M = Must Use
    Success: Updated 0/0 plugins.
    If you're using Centmin Mod .08 beta with new centmin.sh menu option 22 for Wordpress auto installation, the routine already has this auto plugin updater configured for updates every 8 hrs :)
     
    Last edited: Apr 22, 2015
  2. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    8:01 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    From Yoast Security updates for our GA and SEO plugins & many others • Yoast