The Google Analytics for WordPress plugin was found with a XSS scripting vulnerability, if the track outbounds clicks option was selected.

This issue was found by David Whitehouse and James Slater of DavidNaylor.co.uk  and notified the develop right away. The developer, Joost de Valk took immediate action and got this security issue fixed.

On July 20, 2011, this plugin was updated in the WordPress.org Plugin Repository to version 4.1.3 and is available for immediate download.

Google Analytics for WordPress Plugin Changelog:

Version 4.1.3 — Security fix: badly crafted comments could lead to insertion of “weird” links into comments. They'd have to pass your moderation, but still… Immediate update advised.

If you're using Google Analytics for WordPress plugin version 4.1.2 or before it is advised that you update this plugin immediately!

To find out more about this security issue, please read “Update Yoast's Google Analytics for WordPress Plugin V4.1.3 — XSS Scripting Vulnerability Fixed.”

Thanks David and James for finding and reporting this issue. And thanks Joost for updating your plugin so fast!

What should you do now?

If you're using an earlier version of the Google Analytics for WordPress plugin (pre-4.1.3), update this plugin immediately. You can upgrade from your WordPress Dashboard (wp-admin) or download the lastest version here. You can also find out more by visiting Yoast.com.

Leave Your Feedback

Do you use this plugin? If so, how do you like it? Was your WordPress blog affected by any weird links and/or codes in your comments and using this plugin before the update?

Securely yours,

Regina Smola
WordPress Security Expert
Follow me on Twitter
Follow WPSecurityLock on Twitter
Become a Facebook Fan