WordPress XSS Vulnerability Scanner
Cross-site scripting (XSS) in WordPress themes and plugins happens when user-supplied data is output into HTML without escaping. A reflected XSS lets an attacker send a crafted URL; stored XSS lets them inject code that runs for every visitor. wp-scan.org scans for raw $_GET/$_POST echoes, missing esc_html()/esc_attr()/esc_url() calls, and unsafe JavaScript patterns in PHP-generated output.
What wp-scan.org detects
- ✓ Raw echo of $_GET, $_POST, or $_REQUEST variables
- ✓ Missing esc_html() / esc_attr() on output in templates
- ✓ Unsafe esc_url() omissions in href and src attributes
- ✓ PHP variables injected into inline <script> blocks
- ✓ Stored XSS risk from unsanitized database output
- ✓ wp_kses() bypass patterns in custom HTML filters
Scan your WordPress files now — free
Want to see what a Premium report looks like?
View a real scan with line numbers, fix guides, and secure code for every finding.
Common questions
Reflected XSS requires the victim to click a crafted link — the payload is in the URL. Stored XSS is saved to the database and runs for every visitor who loads the page. Both are serious; stored XSS is harder to clean up.
esc_html() for text inside HTML tags, esc_attr() for HTML attributes, esc_url() for URLs, esc_js() for inline JavaScript strings, and wp_kses() when you need to allow some HTML but not all.
The page builder itself is maintained by its vendor. The risk is in custom shortcodes, widgets, or child theme templates you've written that output user data.
See exact line numbers and fix guides for every finding
Upgrade to Premium — from $9.99/mo →