Home WordPress Security Glossary Cross-site scripting (XSS)

Cross-site scripting (XSS)

What is cross-site scripting?

Cross-site scripting (XSS) is a vulnerability that when exploited allows an attacker to inject code into a vulnerable website. In websites vulnerable to XSS, this is made possible due to how the website parses user input. These inputs are typically found in contact, search and other type of forms.

In such cases, the malicious user inserts executable code (such as malicious JavaScript) into the input field, which the vulnerable website then saves.

The malicious script is then sent as part of the response to another user requesting that page. The script is then executed in the victim’s browser where it is able to carry out a number of actions such as accessing the user’s cookies including session information and other sensitive data. Once the attacker has the cookie, they can take over the user’s session.

How does cross-site scripting work?

There are two main types of XSS attacks – Server XSS and Client XSS. Both server and client cross-site scripting attacks can be achieved in different ways, which we explain down below.

Persistent XSS

Also known as Direct XSS. In persistent XSS attacks, the attacker injects a malicious script that the server stores in its database or files. The file is then sent to the target victim when they receive a reply from the server, without either the server or the victim realizing there is a malicious script embedded in the response.

Non-persistent XSS

Also known as Indirect and Reflected XSS. In non-persistent XSS attacks, the malicious script is sent to the user embedded in a server response link to a vulnerable website. When the victim clicks on the link, the script payload is delivered.

DOM-based XSS

Unlike other cross-site scripting attacks, DOM-based XSS attacks execute the malicious code through a modification of the DOM (Document Object Model) environment. This is made possible since modern web applications push logic to the client. Vulnerable websites do not check URI contents and will execute any embedded malicious code.

Why is cross-site scripting dangerous?

Cross-site scripting is dangerous because it allows attackers to inject any code they want into a vulnerable website. In most cases, this is used to steal cookies, which in turn allows the attacker to access the website as the victim.

Depending on the victim’s user account, the attacker will then be able to launch further attacks including stealing data and/or shutting the website down.

How cross-site scripting can be introduced to WordPress

XSS attacks are carried out through the posting of data to WordPress, such as forms. This technically means that any form you have on your WordPress website might be used to launch such an attack.

It is important to note that WordPress, as well as many plugin developers, put checks in place to ensure attackers cannot carry out XSS attacks. These checks are done through sanitization, where any data submitted by users is checked to ensure that there is no code.

This does not mean that attackers will not be able to find a workaround, but it does make it less likely. Either way, vigilance, and a comprehensive WordPress security policy are well-advised.

How to protect your WordPress website from cross-site scripting

As mentioned above, vigilance and a good WordPress security policy are important aspects of website administration that will reduce the risk of a number of different attacks. However, there are a number of additional steps you can take to protect your WordPress website from cross-site scripting attacks.

Only install trusted plugins (and themes)

You should avoid installing nulled plugins and themes. These are not supported by vendors and it is not guaranteed that they include all of the checks and balances that legitimate software includes. Equally important, you should make sure that any plugins you install come from reputable developers. Frequent updates, good reviews, and timely support are generally good indicators that the plugin is trustworthy.

Read our guide to choosing the best WordPress plugins for your website for more information about this subject.

Keep everything updated

Bugs in software can leave you open to security risks – which is why it’s so important to keep everything updated. Developers address security issues through updates, which may also include new or improved features. Overall updates help you stay more secure and productive.

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon