Cross-site Scripting, also referred to as “XSS”, are are the most common attacks on the web where malicious scripts are injected into a website. These malicious scripts could be injected into normally trusted websites via a number of different methods. Because the browser expects the script to be part of the trusted website, it is hard to identify as a malicious script. Once a malicious script has been injected into a WordPress website, the attacker can perform all kinds of attacks:
- The information on your website in may be changed in the users browser. For example, the attacker could change the bank account number displayed on your site
- Your websites visitors could be show advertisements or redirected to different websites (often gambling, porn or crypto scam related)
- Your website visitors browsers could be used to mine crypto currencies or make them participating in attacks on other websites
- The attacker could steal sensitive user information from your website
- The attacker could steal authentication cookies, hijack the user’s session and take over the account
Cross-site scripting attacks and WordPress
The cause of Cross-site Scripting vulnerabilities in your website is almost always due to insecure code in WordPress or installed plugins & themes. No longer supported versions of WordPress, plugins & themes and nulled / pirated plugins & themes are a high risk. But even WordPress and many plugins & themes developed by experienced and trusted developers have had known vulnerabilities in the past. A good developer will usually fix a known vulnerability fast, mostly before it is even known to the public.
Thus, the most important thing you can do to protect against Cross-site scripting is to keep your WordPress version and all plugins & themes up-to-date. There will be times when there are unfixed vulnerabilities in WordPress, plugins & themes though. In this case many Cross-site Scripting attacks can still be prevented by setting a good Content Security Policy for your site.