Skip to main content
WP HealthKit

XSS

Cross-Site Scripting (XSS) is an attack where malicious scripts are injected into trusted websites, executing in victims' browsers to steal data or hijack sessions.

How it works

XSS occurs when an application includes untrusted data in its output without proper validation or escaping. There are three types: Stored XSS (malicious script saved in the database), Reflected XSS (script reflected from a URL parameter), and DOM-based XSS (client-side script manipulation). In WordPress plugins, the most common XSS vulnerability is echoing user input or database values without escaping.

In WordPress

WordPress provides context-specific escaping functions: esc_html() for HTML body content, esc_attr() for HTML attributes, esc_url() for URLs, and esc_js() for inline JavaScript. The rule is simple: escape at the point of output, using the function that matches the output context.

Code example

// Vulnerable
echo '<div>' . $user_input . '</div>';

// Safe
echo '<div>' . esc_html($user_input) . '</div>';
echo '<input value="' . esc_attr($user_input) . '">';
echo '<a href="' . esc_url($url) . '">';

WP HealthKit checks for XSS-related vulnerabilities automatically

Run a Free Audit
What Is XSS? Cross-Site Scripting Explained for WordPress Developers | WP HealthKit