Note: The following article is an extract from my guide on creating secure WordPress plugins. As well as XSS, it will contain advice on avoiding SQL injection, CSRF and other vulnerabilities. You can find out more by putting your email address in here: https://gumroad.com/glenscott/follow. Cross Site Scripting (XSS) The most common vulnerability found in WordPress related code is Cross Site Scripting (XSS). XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. There are two main types of XSS: Persistent (or Stored) Reflected With persistent XSS, the vulnerable code will be stored server side, either in a database on on the file system, and then surfaced when a user visits a page. With reflected XSS, an attacker crafts a specially formatted URL which is intended to cause harm once a user clicks on it. Reflected XSS is less dangerous because it relies on an attacker convincing the victim to click on the specially crafted URL. Both types of XSS are caused when
Share This