Where the Vevida Optimizer WordPress plugin kept plugins on all my WordPress sites up-to-date: Sucuri reports that multiple WordPress plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the
remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress. If you haven’t configured automatic updates for WordPress plugins, please update NOW!
The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.
Read more at Sucuri blog Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins.
Great team work there guys!