WordPress Plugin Reflected Cross Site Scripting

OWASP 2013-A3 OWASP 2017-A7 OWASP PC-C4 WASC-08 WSTG-INPV-01 CWE-79

Cross-site Scripting (XSS) is a client-side code injection attack where, an attacker can execute malicious scripts into a website or web application. In Reflected Cross Site Scripting, the attacker’s payload script is a part of the URL sent to the web server. The sent request is sent back as a HTTP response. The response includes the payload from the HTTP request. Using Phishing and other user luring techniques, the attacker tries to get end users to make a request to the server. This server will contain Cross Site Scripting code. Reflected Cross Site Scripting isn’t a persistent attack. The attacker needs to deliver the payload to each victim. This is done by spamming end users.

The old versions of WordPress had plugins that allowed attackers to inject browser-executable code. This application fails to properly process the codes when the attacker uses executable code to be an included as part of the custom URI or HTTP parameters. The aftermath of this attack results in Reflected Cross-site Scripting attack.

Impact

The attacker can do the following impacts:-

  • Execute malicious code
  • Unstable the web application
  • Remote Command Execution

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Updating the plugin to the latest version.
  • Ensuring that the inputs are properly validated.

Latest Articles