I do penetration testing for living. Recently, I have discovered a reflected XSS vulnerability on one of the Wordpress plugins.

First of all, what is a XSS (Cross-Site Scripting)?

"Reflected Cross-site Scripting (XSS) occur when an attacker injects browser executable code within a single HTTP response. The injected attack is not stored within the application itself; it is non-persistent and only impacts users who open a maliciously crafted link or third-party web page. The attack string is included as part of the crafted URI or HTTP parameters, improperly processed by the application, and returned to the victim.


Reflected XSS are the most frequent type of XSS attacks found in the wild. Reflected XSS attacks are also known as non-persistent XSS attacks and, since the attack payload is delivered and executed via a single request and response, they are also referred to as first-order or type 1 XSS.


When a web application is vulnerable to this type of attack, it will pass unvalidated input sent through requests back to the client. The common modus operandi of the attack includes a design step, in which the attacker creates and tests an offending URI, a social engineering step, in which she convinces her victims to load this URI on their browsers, and the eventual execution of the offending code using the victim's browser.


Commonly the attacker's code is written in the Javascript language, but other scripting languages are also used, e.g., ActionScript and VBScript. Attackers typically leverage these vulnerabilities to install key loggers, steal victim cookies, perform clipboard theft, and change the content of the page (e.g., download links).


One of the primary difficulties in preventing XSS vulnerabilities is proper character encoding. In some cases, the web server or the web application could not be filtering some encodings of characters, so, for example, the web application might filter out "<script>", but might not filter %3cscript%3e which simply includes another encoding of tags." (Source)

So, there is a reflected XSS vulnerability in the latest version of Better WordPress reCAPTCHA plugin (Version 2.0.3).

The parameter cerror value is reflected in the page when this plugin is enabled. Once plugin disabled, the "cerror" parameter's value is not reflected in the page anymore, therefore no malicius JavaScript controlled by the attacker.


This is the source code:

<input id="url" name="url" type="url" value="" size="30" maxlength="200" /></p>
<p class="bwp-recaptcha-error error">Unknown error (\"><iMg src=N onerror=alert(9)>). Please contact an administrator for more info.</p>

But still, if you want to learn hands-on penetration testing without a fancy certification, if you are only a beginner or even an advanced hacker, I have created plenty of online video courses, about hacking and infrastructure. See them all here https://learn.ituniversity.ro and contact me for latest offers and updates. Right now I'm running a campaign for "Complete White Hat Hacking & Penetration Testing Bundle" of over 20 hours of video content accessible for only $50 using the BECOMEHACKERLKN coupon.


Disclaimer: The tested website has disabled the plugin and it's not insecure anymore. Furthermore, the developer of the plugin has been noticed about this, but it seems that the plugin is no longer under development for a couple of years.