Home Wordpress WordPress XSS And What Can You Do About It

WordPress XSS And What Can You Do About It

Just recently, WordPress released 2.8.6 with a critical security update that patches a cross-site scripting vulnerability found by Benjamin Flesch. That’s right, the same kid who discovered a way to patch your WordPress blog by exploiting a similar XSS vulnerability has found another.

Cross-site scripting

When I started working more with web application security, I was amazed at the amount of web developers who are unaware of all the possible entry points the applications they develop have. Of these vulnerabilities, cross-site scripting (or XSS) still leads the pack according to WhiteHat Security.

Best Cloud Hosting for Wordpress
Best Cloud Hosting for Wordpress

A cross-site scripting vulnerability takes place when an attacker injects a client-side script into a web page. This attack can be used to bypass access controls, steal cookies, and hijack an active session to steal sensitive information.

What does this have to do with WordPress

So you have been running a pretty successful blog for the past couple of years. You don’t store credit card data or social security numbers, so what’s the big deal right? After all, no one is going to try to break into your database to read your posts right? If only it were that easy.

Exploiting an XSS vulnerability, an attacker can upload a link containing malicious content in a comment on your blog. When an unsuspecting user clicks on this link, the attacker is able to collect data from the unsuspecting visitor who clicked on the link. Your blog serving as the springboard to the attack.

What can you do about it?

Of course, upgrading your WordPress blog to 2.8.6 will address the immediate problem found in this vulnerability. However, this isn’t the last XSS vulnerability that will be found on WordPress, or any other popular web-based application.

Best Cloud Hosting for Wordpress
Best Cloud Hosting for Wordpress

To better protect your blog, a few simple steps can be taken:

  • Always keep your WordPress software up-to-date. Most of the time, critical updates are released to address security issues such as XSS vulnerabilities.
  • Make sure that any plug-ins or widgets you install are free of XSS vulnerabilities. Third-party add-ons can be full of vulnerabilities if the developer has not taken care to ensure that all input is validated and escaped (http://www.w3.org/TR/charmod/#sec-Escaping).
  • Take care to make sure any themes you use for your blog are not vulnerable to XSS exploits. Themes, like plug-ins and widgets, that have been created be people who may not even know that a vulnerability exists. You can check themes for these exploits by accessing http://<blog-URL>/index.php/index.php/”><script>alert()</script> . If an alert window opens, the theme is vulnerable. You can find more about this check from The H Security.

Must Read

How Much Does It Cost to Build an App in 2019

Software application building is one of the fastest growing fields for over one decade now. The major mobile app stores like Google Play and...

Reasons Why We Give Importance to Visual Content

Take a look online and you’ll find it difficult to locate a web page that doesn’t have an image attached to it unless you’re...

How to Organize Your WordPress Website Better

The best feeling is having a clean website, especially when you started on a clean slate when installing WordPress. Many times, content creators may...

Magento 2 vs WordPress WooCommerce – Which Is the Best Ecommerce Platform for Your Business?

Nowadays, building e-commerce is more comfortable than never before thanks to e-commerce platforms. The only hard part of starting is choosing the best platform...

Why You Should Choose Managed WordPress Hosting

If you're competing on the internet and chosen WordPress as your content management system, you have an important decision to make. Are you going...
Load WordPress Sites in as fast as 37ms!WordPress XSS And What Can You Do About It 1