Researchers at Wordfence Threat Intelligence team discovered a reflected cross-site scripting (XSS) vulnerability, tracked as CVE-2020-15299, in the KingComposer WordPress plugin that potentially impacts 100,000 websites.
KingComposer a fast drag-and-drop page builder for WordPress websites, which comes complete with top-notch features embedded and a truly intuitive UI.
The vulnerability resides in Ajax functions used by the plugin to implement page builder features.
KingComposer is a WordPress plugin that allows Drag and Drop page building, and it registers a number of AJAX actions to accomplish this
One of the Ajax functions registered by KingComposer was no longer actively used, but could still be used by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset.
“One of these AJAX actions was no longer actively used by the plugin, but could still be used by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset.” reads the analysis published by Wordfence. “As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser.”
The Wordfence Threat Intelligence team discovered the XSS bug on June 25.
To exploit the vulnerability, the attacker has to trick the victim into clicking a specially crafted link.
Below the timeline of the vulnerability:
This vulnerability has been addressed with the release of the version 2.9.5.
(SecurityAffairs – hacking, WordPress)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.