The Ultimate Managed Hosting Platform
Home Wordpress WordPress XSS And What Can You Do About It

WordPress XSS And What Can You Do About It

Just recently, WordPress released 2.8.6 with a critical security update that patches a cross-site scripting vulnerability found by Benjamin Flesch. That’s right, the same kid who discovered a way to patch your WordPress blog by exploiting a similar XSS vulnerability has found another.

Cross-site scripting

When I started working more with web application security, I was amazed at the amount of web developers who are unaware of all the possible entry points the applications they develop have. Of these vulnerabilities, cross-site scripting (or XSS) still leads the pack according to WhiteHat Security.

Best Cloud Hosting for Wordpress
Best Cloud Hosting for Wordpress

A cross-site scripting vulnerability takes place when an attacker injects a client-side script into a web page. This attack can be used to bypass access controls, steal cookies, and hijack an active session to steal sensitive information.

What does this have to do with WordPress

So you have been running a pretty successful blog for the past couple of years. You don’t store credit card data or social security numbers, so what’s the big deal right? After all, no one is going to try to break into your database to read your posts right? If only it were that easy.

Exploiting an XSS vulnerability, an attacker can upload a link containing malicious content in a comment on your blog. When an unsuspecting user clicks on this link, the attacker is able to collect data from the unsuspecting visitor who clicked on the link. Your blog serving as the springboard to the attack.

What can you do about it?

Of course, upgrading your WordPress blog to 2.8.6 will address the immediate problem found in this vulnerability. However, this isn’t the last XSS vulnerability that will be found on WordPress, or any other popular web-based application.

Best Cloud Hosting for Wordpress
Best Cloud Hosting for Wordpress

To better protect your blog, a few simple steps can be taken:

  • Always keep your WordPress software up-to-date. Most of the time, critical updates are released to address security issues such as XSS vulnerabilities.
  • Make sure that any plug-ins or widgets you install are free of XSS vulnerabilities. Third-party add-ons can be full of vulnerabilities if the developer has not taken care to ensure that all input is validated and escaped (
  • Take care to make sure any themes you use for your blog are not vulnerable to XSS exploits. Themes, like plug-ins and widgets, that have been created be people who may not even know that a vulnerability exists. You can check themes for these exploits by accessing http://<blog-URL>/index.php/index.php/”><script>alert()</script> . If an alert window opens, the theme is vulnerable. You can find more about this check from The H Security.

Must Read

The 5 Best Email Marketing Tools for Ecommerce This 2019

Operating an eCommerce store has unique challenges that not all email platforms address equally. That's why it is vital to choose an email marketing...

5 Website Design Tips That Will Make Your Business Boom

When designing a website, take careful precision to dedicate as much time to every facet as possible. Consider the user, consider the pathways they...

Would Product Visualisation Help Your Company?

If you’re running a company, there’s no doubt you’ve thought about how you can best present your products and services to the customer.That’s the...

10 Actionable Tips to Improve the Speed of your WordPress Website

Page speed is an important issue for website users. Pages that load fast can help to decrease bounce rate, improve user experience and improve...

How Much Does It Cost to Build an App in 2019

Software application building is one of the fastest growing fields for over one decade now. The major mobile app stores like Google Play and...
Load WordPress Sites in as fast as 37ms!WordPress XSS And What Can You Do About It 1