Background: Due to a now-fixed ambiguity in the documentation for the
remove_query_arg() functions, many plugins were using them incorrectly, allowing for potential XSS attack vectors in their code.
remove_query_arg() have an optional argument to define the base query string to use. If this argument is undefined, it will use
$_SERVER['REQUEST_URI'], which is unescaped. When printed out to a page, this could be used as an XSS attack vector.
The easiest way to fix this in your plugin is to escape the output of
remove_query_arg(). When it’s being printed to a page (for example as a link), you should use
esc_url(). When it’s being used in HTTP headers or as part of a HTTP request (for example, as part of a location redirect header or in a
wp_remote_get() call), you should use
Edit by Ipstenu: Also read Sucuri’s reasonable disclosure on the matter. Many plugins have been patched and auto-updated in a massive coordinated effort to stem this one before it gets nasty.