Due to the misuse of the add_query_arg() and remove_query_arg() functions, a number of WordPress Plugins are vulnerable to Cross-site Scripting (XSS).
Being very popular, the add_query_arg() and remove_query_arg() functions are used by developers to modify and add query strings to URLs within WordPress.
According to Sucuri, the WordPress Codex for these functions was not very clear, misleading plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.
The list of affected plugins:
Google Analytics by Yoast
All In one SEO
Multiple Plugins from Easy Digital Downloads
Related Posts for WordPress
Multiple iThemes products
Due to the varying degrees of severity and the large volume of plugins affected, all developers involved together with the WordPress core security team had all plugins patched through a joint security release.
We recommend that you go to your wp-admin dashboard and update any outdated plugins.