From bd9833b68b6ee4a9daad5729a5f512fbfc25e6b7 Mon Sep 17 00:00:00 2001 From: Harini180518 Date: Sun, 30 Nov 2025 18:32:53 -0500 Subject: [PATCH 1/3] Add files via upload Add case study: XSS in WordPress plugins --- javascript/xss-wordpress-harini.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 javascript/xss-wordpress-harini.md diff --git a/javascript/xss-wordpress-harini.md b/javascript/xss-wordpress-harini.md new file mode 100644 index 0000000..71eb190 --- /dev/null +++ b/javascript/xss-wordpress-harini.md @@ -0,0 +1,13 @@ + Cross-Site Scripting (XSS) in WordPress Plugins +A Case Study by Harini Dodla (George Mason University) + + Overview +Cross-Site Scripting (XSS) is one of the most common and dangerous vulnerabilities affecting modern websites. It occurs when untrusted user input is displayed on a webpage without proper sanitization or escaping, allowing attackers to inject malicious JavaScript. Since a large percentage of the internet runs on WordPress, even a small vulnerability in a plugin can expose millions of users. + +This case study focuses on a real and recurring pattern of XSS issues found in WordPress plugins. Many plugin developers do not consistently use WordPress’s built-in escaping and sanitization functions, creating opportunities for attackers to execute scripts in victims’ browsers. This study explains how XSS happens, demonstrates the impact, and provides actionable recommendations for secure coding. + + Description of the Vulnerability +XSS happens when an application takes user-supplied input (such as a form field, comment, or setting) and outputs it directly into HTML. If the output is not escaped properly, an attacker can inject code like: + +html + From 2c97522a943ee6755ed6fd556a040e7b6248ca2d Mon Sep 17 00:00:00 2001 From: Harini180518 Date: Fri, 12 Dec 2025 22:20:44 -0500 Subject: [PATCH 2/3] Create msccs-buffer-overflow-cve-2025-40123.md Add C buffer overflow case study for CVE-2025-40123 --- c/msccs-buffer-overflow-cve-2025-40123.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 c/msccs-buffer-overflow-cve-2025-40123.md diff --git a/c/msccs-buffer-overflow-cve-2025-40123.md b/c/msccs-buffer-overflow-cve-2025-40123.md new file mode 100644 index 0000000..57ebd2a --- /dev/null +++ b/c/msccs-buffer-overflow-cve-2025-40123.md @@ -0,0 +1,3 @@ +# Case Study: Buffer Overflow in TLS Handshake Parser (CVE-2025-40123) + +Authored by: Harini Dodla From 9ee32b9fb172ef160276e7ccee51100da7144c74 Mon Sep 17 00:00:00 2001 From: Harini180518 Date: Fri, 12 Dec 2025 22:38:17 -0500 Subject: [PATCH 3/3] Update xss-wordpress-harini.md Address professor feedback: add root cause and prevention section --- javascript/xss-wordpress-harini.md | 45 +++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/javascript/xss-wordpress-harini.md b/javascript/xss-wordpress-harini.md index 71eb190..64064a1 100644 --- a/javascript/xss-wordpress-harini.md +++ b/javascript/xss-wordpress-harini.md @@ -1,13 +1,50 @@ - Cross-Site Scripting (XSS) in WordPress Plugins -A Case Study by Harini Dodla (George Mason University) +# Cross-Site Scripting (XSS) in WordPress Plugins +## A Secure Coding Case Study + +**Author:** Harini Dodla +**Institution:** George Mason University + + ## Overview - Overview Cross-Site Scripting (XSS) is one of the most common and dangerous vulnerabilities affecting modern websites. It occurs when untrusted user input is displayed on a webpage without proper sanitization or escaping, allowing attackers to inject malicious JavaScript. Since a large percentage of the internet runs on WordPress, even a small vulnerability in a plugin can expose millions of users. This case study focuses on a real and recurring pattern of XSS issues found in WordPress plugins. Many plugin developers do not consistently use WordPress’s built-in escaping and sanitization functions, creating opportunities for attackers to execute scripts in victims’ browsers. This study explains how XSS happens, demonstrates the impact, and provides actionable recommendations for secure coding. +## Specific Vulnerability + +This case study focuses on a specific stored Cross-Site Scripting (XSS) vulnerability +found in a WordPress plugin that failed to properly sanitize and escape user-supplied +input before rendering it on an admin page. + +For example, vulnerabilities such as CVE-2023-2745 demonstrate how improper handling +of user input in WordPress plugins allows attackers to inject malicious JavaScript that +executes in the context of an authenticated administrator. + +## Description of the Vulnerability - Description of the Vulnerability XSS happens when an application takes user-supplied input (such as a form field, comment, or setting) and outputs it directly into HTML. If the output is not escaped properly, an attacker can inject code like: html + +## Root Cause Analysis + +The root cause of this vulnerability is improper handling of user-controlled input +within the WordPress plugin. User input was stored and later rendered without adequate +sanitization or escaping. + +Developers failed to use WordPress-provided escaping functions such as esc_html() or +esc_attr(), allowing injected JavaScript to execute when the data was displayed. + +## Prevention and Secure Coding Practices + +To prevent Cross-Site Scripting vulnerabilities in WordPress plugins, developers should: + +- Sanitize all user input using functions such as sanitize_text_field() +- Escape output using esc_html(), esc_attr(), or wp_kses() based on context +- Avoid directly echoing user-controlled input into HTML +- Implement WordPress nonces to protect against CSRF +- Conduct security reviews and testing before releasing plugins + +Following these secure coding practices significantly reduces the risk of XSS attacks. + +