How to tell if your site has been exploited — detection checklist

• Search for posts/pages that render the video_onclick shortcode and inspect raw HTML for <script>, event attributes (onclick, onerror), or javascript: URIs.
• Look for accounts with Contributor+ privileges created around the time suspicious content appeared.
• Inspect recent admin actions, plugin/theme installs or updates near the timeframe of infected posts.
• Check server logs for suspicious POST requests containing the shortcode and script strings.
• Preview pages as an editor/admin and monitor browser console/network for unexpected calls or script execution.
• Run file integrity checks and inspect uploads, themes and plugins for recently modified or unknown files.
• Examine scheduled tasks (wp_cron) for unfamiliar jobs.

Incident response if you find evidence of compromise

1. Take the site offline (maintenance mode) or restrict access to administrators immediately.
2. Export a full backup of site files and database for analysis.
3. Remove the vulnerable plugin (or disable its shortcode) and any content that appears malicious.
4. Rotate all privileged user passwords and invalidate sessions.
5. Scan the site for backdoors and suspicious files; restore from a known-good backup if necessary (preferably pre‑compromise).
6. Audit server and access logs to determine the timeline and source of the intrusion.
7. Engage a trusted security or forensic professional if deeper investigation or remediation is required.
8. Return the site to production only after verification and testing.

Long-term hardening (site administrator checklist)

• Enforce least privilege: only grant users the capabilities they need.
• Require content moderation workflows so privileged users do not preview unvetted content.
• Enforce strong authentication (2FA) for editor/admin accounts.
• Keep plugins and themes up to date and use well-maintained sources.
• Restrict which roles can insert or manage shortcodes where feasible.
• Implement Content Security Policy (CSP) headers to reduce XSS impact (defence-in-depth, not a substitute for proper sanitisation).
• Monitor and alert on content changes and new privileged user creations.
• Run automated tests and scans focused on XSS vectors in user-facing features.

Developer guidance: secure shortcodes and secure-by-default patterns

If you maintain or author plugins, follow these hard rules:

1. Treat all shortcode input as untrusted. Use shortcode_atts() to normalise attributes, validate URLs with esc_url_raw(), and sanitise text with sanitize_text_field(). For content, use wp_kses() with a narrow allowed-tags set.
2. Escape at output. Use esc_attr() for attributes, esc_html() for text and esc_url() for URLs in HTML contexts.
3. Avoid concatenating large HTML strings with untrusted data—use templates and escape functions.
4. For AJAX/admin endpoints: require capability checks via current_user_can(), verify nonces with check_ajax_referer(), and sanitise request data before storage.
5. Add unit and integration tests covering XSS vectors and ensure malicious attributes/content are rejected or neutralised.
6. Log and alert when posts contain <script> or suspicious attributes on save, so site owners can triage quickly.

Example secure shortcode callback:

<?php
function secure_video_onclick_shortcode( $atts, $content = '' ) {
    $a = shortcode_atts( array(
        'src'   => '',
        'title' => '',
    ), $atts, 'video_onclick' );

    // Only allow http(s)
    $src = esc_url_raw( $a['src'] );
    // sanitize title strictly
    $title = sanitize_text_field( $a['title'] );

    // Allow only safe HTML in the content: limit tags as needed
    $allowed_tags = array(
        'p' => array(),
        'br' => array(),
        'strong' => array(),
        'em' => array(),
    );
    $content = wp_kses( $content, $allowed_tags );

    // Build HTML with escaping
    $html = '<div class="video-onclick" data-src="' . esc_attr( $src ) . '" title="' . esc_attr( $title ) . '">';
    $html .= $content;
    $html .= '</div>';

    return $html;
}
add_shortcode( 'video_onclick', 'secure_video_onclick_shortcode' );
?>

Practical clean-up scripts and queries

Search for content that includes video_onclick and script tags:

SELECT ID, post_title, post_type, post_status
FROM wp_posts
WHERE post_content LIKE '%[video_onclick%'
AND post_content LIKE '%<script%';

If you find matches and need to remove <script> tags programmatically (test on staging first):

<?php
// Remove <script> tags from posts containing the shortcode
$posts = get_posts( array(
    's' => '[video_onclick',
    'posts_per_page' => -1,
    'post_type' => array('post','page','custom_post_type'),
) );

foreach ( $posts as $post ) {
    $clean = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $post->post_content );
    if ( $clean !== $post->post_content ) {
        wp_update_post( array(
            'ID' => $post->ID,
            'post_content' => $clean
        ) );
    }
}
?>

Always back up the database before bulk editing content.

How to test that the site is no longer vulnerable

• After removing/disabling the plugin or shortcode, confirm no rendering occurs for video_onclick occurrences on the front-end.
• Use a test contributor account to submit a harmless test payload such as </div><img src=x onerror='console.log("x")'> and verify the system neutralises it (escaping or removal).
• Inspect browser dev tools to ensure no inline scripts execute on pages with the shortcode.
• Review logs for blocked or suspicious attempts and tune any blocking rules to avoid false positives.

Recommendations for plugin maintainers and reviewers

• Audit all shortcodes and any code that outputs user-provided attributes or content.
• Do not include shortcodes in admin-only contexts that will be previewed by privileged users unless content is strictly sanitised.
• Document allowed attributes and enforce them in code.
• Provide an option to allow site owners to disable shortcodes globally.
• When responding to vulnerability reports, release a fixed version promptly and communicate clear upgrade instructions to users.

A practical security checklist you can use today

• Deactivate and remove obsolete or rarely used plugins.
• Immediately disable the video_onclick shortcode if you use the plugin and cannot update.
• Search and clean posts that contain the shortcode and script tags.
• Review Contributor+ accounts and require moderation of posts before privileged user previews.
• Deploy temporary WAF patterns where possible to block shortcode-based script injection while remediating.
• Rotate admin credentials and enable 2FA.
• Schedule a full malware and integrity scan.
• Apply long-term hardening: CSP, least privilege, and secure plugin development practices.

Final words — prioritise protection and fix the root cause

Stored XSS originating from shortcodes remains a common class of issue because shortcodes are designed for ease-of-use, not adversarial input. Treat shortcode inputs as hostile by default: validate aggressively, escape on output, and include tests that prove malicious inputs are neutralised.

If you find evidence of compromise and need help, engage a trusted security professional or a forensic service to analyse and remediate. Immediate priority is to disable the vulnerable rendering path, clean stored content, rotate credentials, and perform a timely forensic review before returning the site to normal operations.