On April 20, a vulnerability in certain implementations of WordPress’s add_query_arg and remove_query_arg functions was subject to coordinated disclosure and patches. The vulnerability has been linked to flawed documentation in the WordPress codex.
In the course of a code search looking for the use of these functions across the WordPress.org plugin repository, vulnerable use of these functions was identified in WPtouch Pro’s theme and extension switching routines. This code is present in versions 3 and higher of both the free and Pro editions of WPtouch, though it is only used in the Pro edition.
The release of 3.7.6 of our plugins addresses this vulnerability in WPtouch Pro 3 and also corrects the inactive code in WPtouch 3.
Other plugins affected by this vulnerability included:
- Jetpack
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- UpdraftPlus
- WP-E-Commerce
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Give
- Multiple iThemes products including Builder and Exchange
- Broken-Link-Checker
- Ninja Forms
Although though the free edition of WPtouch includes some of the affected code, it is not executed in the regular operation of the plugin and will not expose users to vulnerability.
Versions of WPtouch and WPtouch Pro predating the 3.x release (such as WPtouch 1.9, and WPtouch Pro 2.x) do not use the add_query_arg and remove_query_arg functions and are also not subject to this vulnerability.
There is no security-related need to automatically update versions of the plugin not affected by this vulnerability.
As always we endorse keeping your WordPress installation and plugins up to date with all released updates.