• caglararli@hotmail.com
  • 05386281520

how to prevent url custom parameters xss attack in WordPress

Çağlar Arlı      -    15 Views

how to prevent url custom parameters xss attack in WordPress

I had a custom plugin for WordPress where I also had a plugin settings page with some tabs, each tab showing by tab parameter, and also had none on the URL.

My plugin has two different plugin settings pages for administrators and non-administrators. The non-administrator page has only one page with 3 tabs called "ml-reports."

When a user clicks my report menu from the admin panel, it opens like:

http://domain.com/wp-admin/admin.php?page=ml-reports and it shows one tab as the default. The issue is if a user passes extra random parameters or custom parameters, for example, &ry17y%27%3e%3cscript%3ealert%602%60%3c%2fscript%3ez1w5i=1 and it looks like http://domain.com/wp-admin/admin.php?page=ml-reports&ry17y%27%3e%3cscript%3ealert%602%60%3c%2fscript%3ez1w5i=1

after enter this url it popup an alert on the site.

I'm not sure how bad it is, but I can imagine it could be a potential exploit. However, I don't know how to prevent or catch it if a user passes a random or custom parameter that I didn't escape or do anything in the code.

Is there a way to prevent this alert or JavaScript execution if a user passes custom parameters as plugin developers?

here's the sample of my code for that settings page

$tab = ( isset( $_GET['tab'] ) && sanitize_text_field( $_GET['tab'] ) ) ? sanitize_text_field( $_GET['tab'] )
    : 'userReport';

// Verify nonce
$nonce = ( isset( $_GET['_wpnonce'] ) ) ? sanitize_text_field( $_GET['_wpnonce'] ) : '';

// Verify nonce
// I also want to show userReport as default tab when there's no parameter in url
if (empty($nonce) && "userReport" !== $tab && !check_admin_referer('ml_report_nonce', '_wpnonce')) {
    // Nonce verification failed, handle accordingly (exit, redirect, etc.)
    exit('Nonce verification failed!');

here's my tab are printing

foreach ( $tabs as $report_tab => $name ) {
    $class = ( $report_tab == $selected_tab ) ? ' nav-tab-active' : '';

    $url = add_query_arg(
            'tab' => esc_attr( $report_tab ),
            '_wpnonce' => wp_create_nonce('ml_report_nonce'),

    echo "<a class='nav-tab" . esc_attr( $class ) . "' href='" . esc_attr( $url ) . "'>" .
            esc_html( $name ) .


Let me know if you guys need more information or code. Anything, let me know.