Version 2.5.5 of SearchWP has just been released. It addresses a possible security vulnerability that was disclosed recently and subsequently resulted in an update to WordPress core in version 4.1.2. I want to explain the vulnerability and what it means for users of SearchWP.
This vulnerability only affected admin pages under very specific circumstances: Viewing an admin page while logged in and authenticated with the
manage_options capability (unless otherwise customized using
searchwp_settings_cap). While extremely unlikely, it is important that all security issues are fixed as soon as possible.
The vulnerability inspired a full audit of SearchWP’s codebase and subsequently version 2.5.5 includes a number of additional escaping, sanitizing, and casting implementations. This was done to improve the overall security of SearchWP should another vulnerability like this one appear over time, but to also clarify the codebase for other developers. While much of the data handling was already in place in SearchWP, having it happen as late as possible is considered best practice.
The underlying issue had to do with unescaped usage of
add_query_arg() and all usage has been escaped as of version 2.5.5. URLs generated with
add_query_arg() without escaping are possibly susceptible to Cross-site Scripting (XSS) attacks.
This issue was disclosed very publicly as it affects many WordPress plugins and also affected WordPress core. An update to WordPress was released (version 4.1.2) so it is recommended that you update SearchWP, WordPress, and all of your installed plugins/themes as quickly as possible to avoid any issues.
If you have any questions about this update, please contact me.
Other upates in 2.5.5
Version 2.5.5 also brings an improvement to the accuracy of ‘Today’ search stats, better exception handling with failed PDF parsing, and an added French translation.
If you are able to fully translate SearchWP into another language please contact me for a free SearchWP license as a thank you!
- [Security Fix] XSS prevention for authenticated users in the admin with add_query_arg
- [Improved] Security improvements: additional/redundant escaping/preparing/casting so as to harden the code base and improve readability
- [Improved] More accurate Today stats
- [Improved] Better translation support
- [Improved] Better exception handling with PDF parsing
- [Fix] Better handling of misconfiguration when attributing an excluded post
- [New] Added French translation