high risk

How to Fix Cross-Site Scripting (XSS) in WordPress

Cross-Site Scripting (XSS) lets an attacker inject malicious JavaScript into pages your visitors see — stealing sessions, defacing content, or redirecting users. On WordPress it almost always comes from an outdated plugin or theme, or from custom code that outputs unsanitized data.

  1. 1

    Update the vulnerable plugin or theme

    Most WordPress XSS flaws are already patched in a newer release. Update every plugin, theme, and WordPress core to the latest version. If a plugin has an unpatched XSS and no fix is available, deactivate and remove it.

  2. 2

    Escape all output in custom code

    Never echo raw data. Use WordPress escaping functions on every dynamic value depending on context — esc_html(), esc_attr(), esc_url(), and wp_kses_post() for allowed HTML.

    echo esc_html( $user_supplied );
    printf( '<a href="%s">%s</a>', esc_url( $link ), esc_html( $text ) );
  3. 3

    Sanitize input on the way in

    Validate and sanitize data before saving it with sanitize_text_field(), sanitize_email(), or absint() as appropriate, and verify nonces on form submissions.

  4. 4

    Add a Content-Security-Policy header

    A CSP limits which scripts can run, blocking most injected payloads even if one slips through. Add it via your theme, a security plugin, or your server config.

    Content-Security-Policy: default-src 'self'; script-src 'self'

Related concept: Cross-Site Scripting (XSS)

Is your site affected?

Run a free external scan — 36 checks, no login or plugin required.

Scan your site free

More fix guides