XSS Security Bug in WordPress Themes - how to update

A few days ago, somebody brought to my attention that there was a security bug in my themes (as well as in the default WP themes) that allowed XSS (cross site scripting) attacks. This only affects WP themes that use custom 404 error pages, which includes my WordPress Themes, too.

The problematic piece of code is found in the search form of the sidebar template (sidebar.php) and also in the search widget located in the file “functions.php”:

echo $_SERVER[’PHP_SELF’]

I have just updated my themes and checked my blog for other XSS vulnerabilities using the WP Scanner by Blogsecurity.net and now everything is fine.

If you are using any of my SEO WordPress themes, you should either download an updated version of my themes or update your theme using the theme editor in your WP admin panel.

Updating your WordPress theme is very simple:

1. Login to your WP blog and go to Presentation > Theme Editor

2. Click on the sidebar link to load the sidebar template into the editor.

3. Search for the following piece of code:

<?php echo $_SERVER[’PHP_SELF’]; ?>

and replace it with:

<?php bloginfo(’url’); ?>

Save the changes (click “update file” button)

4. Click on the functions.php link to load the functions template into the editor (this file contains the widgets).

5. Repeat step 3. Hint: the code for the search widget is located in the upper part of this file.

That´s it. Now your theme is save (unless you have previously made some dangerous custom changes that I don´t know about). You should also always upgrade to the latest version of WordPress, because there are other security issues (including cross site scripting issues) that can be found in earlier versions of WP.

If you are unsure about whether your blog is XSS proof or not, use the WP Scanner. This tool also checks your plugins for possible XSS vulnerabilities.