KingComposer fixes a reflected XSS impacting 100,000 WordPress sites

Pierluigi Paganini July 10, 2020

An XSS vulnerability in the KingComposer page builder for WordPress impacts 100,000 websites using the WordPress plugin. 

Researchers at Wordfence Threat Intelligence team discovered a reflected cross-site scripting (XSS) vulnerability, tracked as CVE-2020-15299, in the KingComposer WordPress plugin that potentially impacts 100,000 websites. 

KingComposer a fast drag-and-drop page builder for WordPress websites, which comes complete with top-notch features embedded and a truly intuitive UI.

The vulnerability resides in Ajax functions used by the plugin to implement page builder features.

KingComposer is a WordPress plugin that allows Drag and Drop page building, and it registers a number of AJAX actions to accomplish this

One of the Ajax functions registered by KingComposer was no longer actively used, but could still be used by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset.

“One of these AJAX actions was no longer actively used by the plugin, but could still be used by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset.” reads the analysis published by Wordfence. “As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser.”

The Wordfence Threat Intelligence team discovered the XSS bug on June 25.

To exploit the vulnerability, the attacker has to trick the victim into clicking a specially crafted link.

Below the timeline of the vulnerability:

  • June 15, 2020 – The Wordfence Threat Intelligence team discovers an unpatched vulnerability while investigating newly patched vulnerabilities in the KingComposer plugin. We release a firewall rule covering both the patched and unpatched vulnerabilities to our Premium users.
  • June 16, 2020 – We attempt to contact the developers of the KingComposer plugin.
  • June 25, 2020 – We contact the WordPress Plugins team about the vulnerability.
  • June 26, 2020 – The WordPress Plugins team responds and indicates that they are in touch with the developers of the KingComposer plugin.
  • June 29, 2020 – Patched version of KingComposer is released.
  • July 15, 2020 – Firewall rule becomes available to Wordfence Free users.

This vulnerability has been addressed with the release of the version 2.9.5.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment