Sucuri in its latest blog has revealed the plugin vulnerability of WordPress websites, installed with the addons powered by genericons package, towards cross-site scripting (XSS). This puts over 3 million websites on XSS plugin vulnerability radar, including JetPack, a WordPress plugin that is installed in over 1 million website, TwentyFifteen (2015), which is the default theme of this package, and thousands of more plugin based on this package.

Which objects or elements in a webpage is the attack is exploiting?

The XSS is exploiting the Document Object Model (DOM) elements in HTML or JavaScript in a webpage’s source code. The attacker is modifying the DOM element of the victim by injecting malicious codes cleverly. The webpage, although modified to steal victim’s data, seems normal to the victim. Unaware, the victim clicks a part of the modified code to trigger the attack. Once the attack is triggered, the attacker has the control of the victim’s… Now the attacker has access to the victim’s personal information that he can use to verify the identity of the victim whenever required.

Why only Genericons Package?

Any addon based on this package by default contains the file—examples.html. The file, being common to every plugin in the package, is an easy target for an attacker using cross site scripting.

I have the protection of a robust firewall solution, still.

An attacker carries changes only at the client side, the web browser of the victim. The attack is deliberated in such a way that no fresh HTTP request is sent to the server side, during its course. As a result, the firewall installed at server side is unable to detect the suspicious traffic.

Nevertheless, the firewall can be updated to tackle this risk or combat the attack. Ask your firewall vendor for more details.

What can I do to prevent my WordPress website from attack?

As the default file of genericon package, examples.html, is the source of evil, delete any instances of the file from any of the installed addons. If you can’t remove the file, simply disable them. Install an updated firewall if haven’t yet. A firewall can give an additional layer of security. It filter outs any suspicious traffic regardless the definition of the attack.

As the threat is widespread and has a large install base in millions, patching millions of WordPress sites is going to take some time even after a patch rollout. Meanwhile, don’t click rogue links or a banner promising you $1m in prizes, especially when you’re login to WordPress admin. Also resist the temptation of updating if you’re not sure, where you being led.

What are the chances I am effected?

There are very less chance of your website being attacked as the attack has just hit the wild and is still in its infancy. In addition, not every addon’s versions powered by genericon package have examples.html file installed. Many developers have this habit of removing default files before public release.

How to know for sure?

Run Sucuri site check of your website. Sucuri sitecheck is one of the most trusted free & remote website scanner.

To check your website,

  • Go to
  • Enter your website’s domain address in the space provided.
  • Click “SCAN WEBSITE!” and wait for the results:
  • Look for the first two results: Malware and Website Blacklisting. If anyone of them showing anything in red, you may be one of the victims of this attack.

What are some typical instances of triggering the attack?

A user, a victim of DOM based XSS while adding a page to his WordPress (he was logged in) website saw a message over the top of the CMS admin page. The message, “One of your Plugin is vulnerable. Click here http:// onerror= alert(1)> for more information,” was making him to click on the link. Unaware of the ongoing attack, the user clicked on the link to trigger the attack. Soon the control of the website went to the attacker. He was simply hacked.

I am sure my website is hacked, what can I do now?

There isn’t much you can do other then to look for a fix from your host or security provider, which looking at the impact of the update, will take time. Nevertheless, few of the hosts have already released a fix in the form of updates:

  • GoDaddy
  • HostPapa
  • DreamHost
  • ClickHost
  • Inmotion
  • WPEngine
  • Pagely
  • Pressable
  • Websynthesis
  • Site5
  • SiteGround

Contact them for further details. Don’t click on any link prompting you for an update. It may be a trick by an attacker.

Regardless follow the standard procedures of web security in case of a breach.

  • Maintain a pristine environment in production.
  • Remove debug or test files before you move into production.
  • Remove simple example.html file that had the plugin vulnerability embedded
  • Contact a security expert in XSS
  • Install a Firewall to reduce further harm
  • An Intrusion detection system can save you from zero day threats

This is the best form of defence to counter a zero day attack.

IF you think you held private information that may be sensitive, go offline and wait for your host to release a fix. Several firewall in the market would be ready for the attack use them to filter out malicious traffic. Sucuri Firewall is one such solution right now.


Prevention is better than cure, no doubt; however, if your website is compromised, you’re washed up. For the time being, you can only wait for a security patch. The far reach that the plugin and theme have combined is a matter of serious matter. What if the attack become contagious spreading like a wildfire. A hacked computer might become a host of malwares and start distributing them to the intranet and subsequently, the internet.

Any site behind an updated Website Application Firewall(WAF) or protected by an Intrusion Detection System (IDS) is protected, regardless the presence of examples.html file. If a WAF or IPS are not guarding your website, deleting example.html from the genericons directory is obligatory.