Important Security Release for ALL WP eCommerce Users

tl; dr: Update your plugins.  All of them.  Including WP eCommerce. Massive thanks to security team, Yoast, and many others.

What Happened?

Joost de Valk, of Yoast fame, discovered a vulnerability in several of his plugins.  We won’t tell his story here, as he’s done a brilliant job of it on his blog post.  Long story short, he found a vulnerability in his plugins with regards to usage of add_query_arg and remove_query_arg. We’re grateful to those who disclosed the vulnerability responsibly to Joost, Joost for working so closely with with the plugin developer community, Sucuri for running point on security disclosure and the Security team for helping coordinate plugin updates.

Stop, Collaborate and Listen

This is very possibly among the most coordinated, collaborative upgrade processes in the WordPress community.  I have never personally been part of such an effort, and it has been inspiring to see developers of all backgrounds working together towards a common goal: a more secure WordPress ecosystem.  I’m endlessly impressed by all involved and humbled to be part of such a great community.  You’ll see dozens of plugins with updates today, all coordinating together. None of this would be possible without everyone working together.  Open source FTW!

Users: Where’s the Update?

If you don’t see the update yet, go to your wp-admin/update-core.php page, under Dashboard → Updates, this will clear the cache for all updates and should then show you the updates for our plugins.

Going to this page will also make sure any automatic updates are done a few seconds later too. Be sure to check your plugins page a minute or so later to see if all the needed plugins are still active.

We highly recommend all users update to the latest release, 3.9.3.  However, as an extra security measure, we have updated branches dating back all the way to the 3.8.8 branch.  Many of our users are running older versions of WP eCommerce than we would like, but we understand and appreciate the reality of their circumstances and want to ensure a secure ecosystem.  To that effect, if you are unable to update to 3.9.3, you can choose from the following back-ported releases.   Choose the one that is closest to the version that you are currently on.  To reiterate, this is a big deal.

For Developers: How to Stay Secure

The short version for developers of how to fix this issue: if you’re using eitheradd_query_arg or remove_query_arg without passing in the URL, it bases the URL it creates off of $_SERVER['REQUEST_URI']. In that process, it URL decodes the parameter names in the request URI, allowing for XSS. The solution is to simply wrap the output in esc_url.  If you’re passing the URL to an external API (perhaps using the WP HTTP API) or passing it through HTTP headers (perhaps through wp_redirect()), you’ll want to use esc_url_raw instead.  More information can be found on the Make blogs at


We are incredibly grateful to the WordPress community at large – but especially to the following people:

  1. Joost de Valk and Sucuri, for their responsible disclosure on this matter.  To Joost, specifically, for his leadership and much of the contents of this post.
  2. The Security team, especially Gary Pendergast and Dion Hulse.
  3. All the WordPress plugin authors who coordinated and worked incredibly hard (and very quickly) to get these releases out.
29 responses... add one

Hi – do we need to upgrade if we are NOT using any Yoast plugins on the site?

Yes update all plugins that show an update notification.
Its not just Yoast plugin that is vulnerable and there can be many more plugins out there affected but not listed anywhere.

Great info!

But a slide out right, popup on the bottom and cannot read the article on small tablet…


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.