How Cross Site Scripting Can Allow Hackers to Put Code on a Website

If you are familiar at all with WordPress, you know that web security is a huge priority for the WordPress team. As a benefit of using WordPress as a web content management system, security vulnerabilities will be patched on your site automatically.

Recently, a major XSS (Cross Site Scripting) vulnerability was discovered and fixed by the WordPress team.

Cross Site Scripting is a common website vulnerability that effects web forms, search boxes and any place a user can submit content to a website database.

For example: Imagine a website that has a guestbook feature allowing users to submit their name and a message thorough a web form. This information is submitted through the form and processed by the server which inserts the information into the database. Because a web server processes all of the text that is sent to it, code can also be passed via the web form to the server. In this case, JavaScript.


The web server does not know the difference between a nice message from someone who really loves your website, or malicious code that a hacker is trying to inject into your website. In our example, we are simply inserting some JavaScript code that opens a pop-up box with some text.


This example may seem mundane, but the implications here are not to be taken lightly. It’s like leaving the door to your web server open to the entire world. In this scenario, a user is able to execute JavaScript code right on your website. Normally this would require developer access to the web server to do this, but the vulnerability makes it possible for anyone to run code your website. All it takes is someone who is talented enough at JavaScript to some along and inject code that allows them to gain access to the whole site.

If you are using WordPress already, you are in good shape. However, you could still be vulnerable to this kind of attack if your site makes use of plugins for any of its features. This makes it critical to have regular updates and maintenance to the WordPress framework and site plugins to ensure compatibility and security.

Get in touch