tl; dr: Update your plugins. All of them. Including WP eCommerce. Massive thanks to WordPress.org security team, Yoast, and many others.
Joost de Valk, of Yoast fame, discovered a vulnerability in several of his plugins. We won’t tell his story here, as he’s done a brilliant job of it on his blog post. Long story short, he found a vulnerability in his plugins with regards to usage of
remove_query_arg. We’re grateful to those who disclosed the vulnerability responsibly to Joost, Joost for working so closely with with the plugin developer community, Sucuri for running point on security disclosure and the WordPress.org Security team for helping coordinate plugin updates.
Stop, Collaborate and Listen
This is very possibly among the most coordinated, collaborative upgrade processes in the WordPress community. I have never personally been part of such an effort, and it has been inspiring to see developers of all backgrounds working together towards a common goal: a more secure WordPress ecosystem. I’m endlessly impressed by all involved and humbled to be part of such a great community. You’ll see dozens of plugins with updates today, all coordinating together. None of this would be possible without everyone working together. Open source FTW!
Users: Where’s the Update?
If you don’t see the update yet, go to your
wp-admin/update-core.php page, under Dashboard → Updates, this will clear the cache for all updates and should then show you the updates for our plugins.
Going to this page will also make sure any automatic updates are done a few seconds later too. Be sure to check your plugins page a minute or so later to see if all the needed plugins are still active.
We highly recommend all users update to the latest release, 3.9.3. However, as an extra security measure, we have updated branches dating back all the way to the 3.8.8 branch. Many of our users are running older versions of WP eCommerce than we would like, but we understand and appreciate the reality of their circumstances and want to ensure a secure ecosystem. To that effect, if you are unable to update to 3.9.3, you can choose from the following back-ported releases. Choose the one that is closest to the version that you are currently on. To reiterate, this is a big deal.
- 3.9.3 (This will be available in your WordPress Dashboard)
For Developers: How to Stay Secure
The short version for developers of how to fix this issue: if you’re using either
remove_query_arg without passing in the URL, it bases the URL it creates off of
$_SERVER['REQUEST_URI']. In that process, it URL decodes the parameter names in the request URI, allowing for XSS. The solution is to simply wrap the output in
esc_url. If you’re passing the URL to an external API (perhaps using the WP HTTP API) or passing it through HTTP headers (perhaps through
wp_redirect()), you’ll want to use
esc_url_raw instead. More information can be found on the Make blogs at WordPress.org.
We are incredibly grateful to the WordPress community at large – but especially to the following people:
- Joost de Valk and Sucuri, for their responsible disclosure on this matter. To Joost, specifically, for his leadership and much of the contents of this post.
- The WordPress.org Security team, especially Gary Pendergast and Dion Hulse.
- All the WordPress plugin authors who coordinated and worked incredibly hard (and very quickly) to get these releases out.