A coordinated plugin update occurred Monday morning between many popular WordPress plugins to address a common security vulnerability that allows for XSS cross-site scripting attacks.
Post Status published a great article explaining the security vulnerability, and Yoast published a post explaining the backstory.
The exact number of plugins affected is unknown, but a number of the most popular WordPress plugins are affected, and millions of websites are vulnerable due to this issue. Jetpack and Yoast’s WordPress SEO alone are active on well over a million websites.
Sucuri has identified a minimum of fifteen plugins affected, but they have only looked into the top 300-400 and others that were notable.
Jetpack, Easy Digital Downloads, P3 Plugin Profiler, Download Monitor, and Related Posts for WordPress are all opting in to automated forced updates from WordPress.org. This means that these plugins have created new releases for each major branch of their plugins to be distributed and automatically updated by the WordPress.org team.
Other plugins are not opting in. Notably, Yoast did not opt in for WordPress SEO or their Google Analytics plugin. Joost de Valk cites concerns that some site owners had their plugins deactivated during the last forced upgrade process they went through.
Brian Krogsgard
WordPress Security Update
On Tuesday, WordPress also rolled out Security Release 4.1.2.
This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
Gary Pendergast
If you host with our favorite managed host WP Engine, they’ll update WordPress for you.
Update WordPress And Your Plugins
This means you need to log in to your WordPress site and update WordPress if it hasn’t been updated automatically. You also need to update ALL of your plugins that have updates available — and please don’t just log in and click the update button!
Be sure to perform a complete backup of your site before performing any updates, and if you have another service provider like a virtual assistant handle this for you, ensure they backup the site in full — especially if your site is your primary source of leads and income.