-2

Obviously I'm not sharing the actual site being referenced but the page itself isn't anything special. Just a regular wordpress page, no out of the ordinary scripts on it. However, we received this message:

=========

A white-hat hacker just reported an issue with example.com/sub-page. You can run arbitrary javascript, it seems, by modifying the URL:

https://example.com/subpage/#__proto__=&0[style][0]=1&0[style][1]=%3Cimg/src/onerror%3dalert(document.domain)%3E

=======

Is this a real hack or someone just trying to get rewarded? When I go to the modified link, nothing happens. We have Wordfence and standard hosting security. I'm trying to understand if this "hack" is just a website norm or if additional security needs to be installed on our wordpress websites.

TheWizCK
  • 31
  • 3

3 Answers3

0

If the javascript, which is included in your link-sample, gets executed it will produce a alert-prompt-box with your domain on it. If you can see it than your website has a XSS-Vulnarability.

J. Doe
  • 837
  • 1
  • 7
  • 18
0

This is to check whether your site can be hacked or not. If it shows result then in next step there will be attacks. So, take necessary security steps to reduce loopholes.

Prithwish Mukherjee
  • 1
  • 1
0

In order to prevent cross site scripting in Wordpress, you can download the security plugin, which I would do anyways, and hardcode parameters into your php code. The Wordpress security suite may do this by itself, but it is helpful to look at the code to make certain.

James Belew
  • 1
  • 1