Joost de Valk is announcing a security update to both WordPress SEO plugin and our Google Analytics plugin.
The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.
A few of the other plugins are affected too. The affected plugins include Gravity Forms, Ninja Foms, WPTouch Easy Digital Downloads, Jetpack, WP e-Commerce, All In One SEO pack and that’s just some of the big ones.
Details here
Security firm Securi also released a long but as yet incomplete list of WordPress plugins that share the same bug that may leave millions of websites — and their users — exposed to cross-site scripting attacks.
Read about this here