Many popular WordPress Plugins are found as vulnerable according to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by plugin developers to modify and add query strings to URLs within WordPress.
The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail caused many of the most popular plugins to be vulnerable to XSS.
To date, this is the list of affected plugins:
Google Analytics by Yoast
All In one SEO
Multiple Plugins from Easy Digital Downloads
Related Posts for WordPress
Multiple iThemes products including Builder and Exchange
There are probably a few more that we have not listed. If you use WordPress, we highly recommend that you go to your wp-admin dashboard and update any out of date plugins now.
If you are a plugin developer then always try to use esc_url() or esc_url_raw() with add_query_arg() and remove_query_arg() functions. For example,
<?php echo esc_url(add_query_arg(‘foo’, ‘bar’)); ?>