diff --git a/readme.txt b/readme.txt
index d575dea92bc56bd79ea6f65e7d7fff2279f753c3..109476ca1727b6da668f1fac5c1c05c8dde1132f 100644
--- a/readme.txt
+++ b/readme.txt
@@ -3,8 +3,8 @@ Contributors: ethitter, thinkoomph
Donate link: http://www.thinkoomph.com/plugins-modules/view-all-posts-pages/
Tags: view all, pages, paged, paged post, multipage, single view, single page, wp_link_pages, nextpage, next page, quicktag
Requires at least: 3.2.1
-Tested up to: 4.1
-Stable tag: 0.9
+Tested up to: 4.2
+Stable tag: 0.9.1
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -45,6 +45,9 @@ This plugin is known to conflict with certain plugins, many pertaining to SEO an
== Changelog ==
+= 0.9.1 =
+* Security update: correct misuse of `add_query_arg()` as identified by Sucuri: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html.
+
= 0.9 =
* Move conditional registration of some filters to `init`, both to ensure external code can interact with filters and to avoid PHP notices.
@@ -92,6 +95,9 @@ This plugin is known to conflict with certain plugins, many pertaining to SEO an
== Upgrade Notice ==
+= 0.9.1 =
+Security update: correct misuse of `add_query_arg()` as identified by Sucuri: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html.
+
= 0.9 =
Recommended update for anyone hoping to use plugin's filters to modify its behaviour.
diff --git a/view-all-posts-pages.php b/view-all-posts-pages.php
index 68a38c2f4e3d32ce049f68fde392185513abe0ca..a552c4d02c655d99fab9e1f4644b44ef156de603 100644
--- a/view-all-posts-pages.php
+++ b/view-all-posts-pages.php
@@ -1,11 +1,11 @@
<?php
/*
Plugin Name: View All Post's Pages
-Plugin URI: http://www.thinkoomph.com/plugins-modules/view-all-posts-pages/
+Plugin URI: http://www.oomphinc.com/plugins-modules/view-all-posts-pages/
Description: Provides a "view all" (single page) option for posts, pages, and custom post types paged using WordPress' <a href="http://codex.wordpress.org/Write_Post_SubPanel#Quicktags" target="_blank"><code><!--nextpage--></code> Quicktag</a> (multipage posts).
Author: Erick Hitter & Oomph, Inc.
-Version: 0.9
-Author URI: http://www.thinkoomph.com/
+Version: 0.9.1
+Author URI: http://www.oomphinc.com/
Text Domain: view_all_posts_pages
This program is free software; you can redistribute it and/or modify
@@ -686,9 +686,9 @@ class view_all_posts_pages {
<div id="wpf-rewrite-flush-warning" class="error fade">
<p><strong><?php _e( 'View All Post\'s Pages', 'view_all_posts_pages' ); ?></strong></p>
- <p><?php printf( __( 'You must refresh your site\'s permalinks before <em>View All Post\'s Pages</em> is fully activated. To do so, go to <a href="%s">Permalinks</a> and click the <strong><em>Save Changes</em></strong> button at the bottom of the screen.', 'view_all_posts_pages' ), admin_url( 'options-permalink.php' ) ); ?></p>
+ <p><?php printf( __( 'You must refresh your site\'s permalinks before <em>View All Post\'s Pages</em> is fully activated. To do so, go to <a href="%s">Permalinks</a> and click the <strong><em>Save Changes</em></strong> button at the bottom of the screen.', 'view_all_posts_pages' ), esc_url( admin_url( 'options-permalink.php' ) ) ); ?></p>
- <p><?php printf( __( 'When finished, click <a href="%s">here</a> to hide this message.', 'view_all_posts_pages' ), admin_url( add_query_arg( $this->notice_key, 1, 'index.php' ) ) ); ?></p>
+ <p><?php printf( __( 'When finished, click <a href="%s">here</a> to hide this message.', 'view_all_posts_pages' ), esc_url( admin_url( add_query_arg( $this->notice_key, 1, 'index.php' ) ) ) ); ?></p>
</div>
<?php