Wordpress is a popular open source blogging platform that has been much maligned in security circles. Having run a Wordpress site now for years I can safely attest that it is no small feat to lock one down. The problem is further complicated by the use of plugins. I have been guilty of using far too many plugins in the past. My site would crawl as a result. Even now with a thinned down plugin list there is always the problem that these are code that you\u2019re introducing into your site from a third party.So, who wrote that code? Is it a free plugin? Did you pay for it? How confident are you in the security of that code?*crickets*I was afraid of that.The problem that came to light today is in a Wordpress plugin called WP-Super-Cache written by Donncha \u00d3 Caoimh, who works as a software developer at Automattic. OK, what does the WP-Super-Cache plugin do? Well, from the plugin page they have this to say, \u201cThis plugin generates static html files from your dynamic WordPress blog. After a html file is generated your webserver will serve that file instead of processing the comparatively heavier and more expensive WordPress PHP scripts.\u201dSeems simple enough. So, what exactly is the problem? There is a problem wherein a persistent XSS vulnerability exists. According to the WP-Super-Cache plugin page on Wordpress.org it appears that this plugin is used on in excess of 1 million sites. Hmm, this is ugly.The plugin works on Wordpress sites up to, and including, version 4.1.1. So, what is the risk here? Well, the folks a Sucuri announced that this morning.From Sucuri:Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin\u2019s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site\u2019s administrator to have a look at that particular section, manually.When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.That\u2019s a pain. Well, the inevitable question is \u201cwhat is to be done?\u201d First off do not head to the bunker or eat your neighbors. There is a fix available for the problem already. Version 1.4.4 is available for WP-Super-Cache which fixes this persistent XSS issue.It is fairly simple to upgrade the plugin. In your Wordpress administrator panel select \u201cPlugins\u201d and the click on the heading \u201cUpdate available\u201d. This will list all of the associated plugins that have updates available. Pretty simple. Select the WP-Super-Cache plugin and set the \u201cAction\u201d drop down at the top of the page to \u201cUpdate\u201d and away it goes.Then, if all has gone according to plan you should have a fresh install.Get your patch on, now!