Obviously I'm not sharing the actual site being referenced but the page itself isn't anything special. Just a regular wordpress page, no out of the ordinary scripts on it. However, we received this message:
=========
A white-hat hacker just reported an issue with example.com/sub-page. You can run arbitrary javascript, it seems, by modifying the URL:
https://example.com/subpage/#__proto__=&0[style][0]=1&0[style][1]=%3Cimg/src/onerror%3dalert(document.domain)%3E
=======
Is this a real hack or someone just trying to get rewarded? When I go to the modified link, nothing happens. We have Wordfence and standard hosting security. I'm trying to understand if this "hack" is just a website norm or if additional security needs to be installed on our wordpress websites.
If the javascript, which is included in your link-sample, gets executed it will produce a alert-prompt-box with your domain on it. If you can see it than your website has a XSS-Vulnarability.