A lot of WordPress Plugins and Themes are vulnerable to Cross-site Scripting (XSS) due to an unappropriate usage of two functions: add_query_arg() and remove_query_arg().
Some of the plugins/themes have been updated to reflect current changes, some have not.
If you don’t want to wait until all of your files are update to the latest version or if you want to be sure that your web site is not affected, see my tutorial below.
As a side note, it’s quite likely that your web site has a problem with this thing, if you use lots of plugins.
Below, my video solution to the problem.
The problem is described in detail here:
and the solution is detailed here:
Another solution:
A case study with solving the issue:
From my personal experience, for some web sites I just deleted some seldom used plugins.
Also, if the plugin is very popular (Akismet, JetPack, WordPress), it’s likely that the bug has been fixed. The problem is with unpdated themes, and less popular plugins.
Check the plugin page and see when it was last updated, as a simple measure.
If you have multiple sites to edit, a good option to know about is to search for files NOT containing add_query_arg and deleting them, and then to search for empty directories and remove them, and, in the end, you’ll have a list of all the files which contain “add_query_arg”. (note that with this solution you will lose the references to remove_query_arg so perhaps you should have two folders and do this thing twice; but, generally, it’s unlinkely that a file has remove_query_arg but not add_query_arg)
Update: The problem is solved by updating to WordPress 4.2.1 (WordPress 4.2.1 Release fixes another XSS vulnerability)