Plugin Author
AITpro
(@aitpro)
First off, in order to actually exploit this “vulnerability” it would require a very complex effort by a hacker to pull this off and several conditions|requirements would have to exist in order for it to work. The chances of a hacker actually making the effort to exploit this and for the hack to actually work are extremely low. hackers focus on automated bot attacks with volume being the goal. ie hack 1,000 sites in a day using an automated bot. It is not cost effective for a hacker to actually try and hack 1 site. They go for automated volume|bulk hacking because it is profitable. 1 z’s 2 z’s is typically not profitable unless hacking a particular site would be very profitable.
WordPress 4.1.2 was released in coordination with all plugins listed to address this issue. I am not sure if WP did the sanitization for the XSS bug|vulnerability so that even if a plugin did not do that in the plugin code then the bug|vulnerability would still be sanitized.
https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.
Conclusion: This bug|vulnerability has been patched in all plugins and WP 4.1.2 and higher versions. The chances of a hacker making the effort to exploit this are pretty much zero. Personally and professionally I do not think any other methods of securing the wp-admin folder|directory or adding any additional security measures are necessary.
Thank you very much for taking your time to take a look at this issue.
Awesome support as usual!
