The most common vulnerability in WordPress is called Cross Site Scripting (XSS). We would like to explain about this vulnerability.
What is a cross-site scripting vulnerability?
Simply put, cross-site scripting is a vulnerability that allows an arbitrary JAVASCRIPT to be executed on a browser.
A JAVASCRIPT is a program that is executed on the user’s browser, not on the server, and controls the site’s movements, communicates behind the scenes to bring data, etc. However, writing files and accessing the user’s computer are heavily restricted Script.
Therefore, even if there is a cross-site scripting vulnerability, the data on the WordPress site’s server will not be tampered with.
What can a cross-site scripting vulnerability do?
If a user clicks on a link that contains malicious JavaScript code in cross-site scripting, an arbitrary JavaScript can be executed on your site.
In this case, users may suffer the following damage
Users will be directed to malicious site advertisements or fraudulent sites.
The user’s login information (information stored in the browser’s cookie) on your site is sent to the hacker.
(For this reason, XSS is especially important to be aware of on sites where users log in.)
The login information of the WordPress administrator is sent.
(However, this login information is encrypted, so it does not immediately leak the administrator’s login. Please refer to this article ).
XSS is used as a springboard for spam mail and DDOS attacks.
XSS does not have an email sending function, but it is possible to make a contact form on a WordPress site work with XSS.
(* XSS itself does not have an email sending function, but it is possible to make a contact form on a WordPress site work with XSS.
How to prevent cross-site scripting vulnerabilities?
The following measures are effective in preventing the use of cross-site scripting vulnerabilities.
Update plug-ins and other software to eliminate the vulnerability.
Set up a Javascript execution policy called Content Security Policy.
Reference What is Content Security Policy CSP? How to set it up in WordPress
For WordPress malware and vulnerability scanning, please refer to the following
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal]
if you would like to use it.