Another vulnerable WordPress plugin has come to light. This time, the vulnerability appeared in the KingComposer WordPress plugin. It potentially affected over 100,000 websites.
KingComposer WordPress Plugin Vulnerability
Team Wordfence discovered the vulnerability of the WordPress plugin. In their discovery, they found a vulnerability in KingComposer Drag and Drop Page Builder WordPress plugin.
As stated in their post, the researchers found reflected cross-site scripting (XSS) vulnerability in the plugin. It existed because of an AJAX function not actively used but functional, from the other AJAX functions.
An attacker could exploit this function to sending a
POST request to
wp-admin/admin-ajax.php with the action parameter set to
kc_install_online_preset. In turn, the attacker could execute malware on the users’ browsers visiting the target website.
Stating how this would happen, Wordfence stated,
kc-online-preset-dataparameters. Since it uses the
esc_urlfunctions, it appears safe at first glance. Unfortunately, however, the contents of the
kc-online-preset-dataparameter are base64-decoded after this step.
As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the
kc-online-preset-dataparameter, the malicious payload would be decoded and executed in the victim’s browser.
Patched Rolled Out
The vulnerability affected all plugin versions before the patched version. The researchers found the bug in June 2020, after which, they reached out to the developers.
Following their report, the developers patched the vulnerability with the release of KingComposer – Free Drag and Drop page builder version 2.9.5. The patch includes the complete removal of the unused function from the code.
Hence, now that the patch is available, users must ensure updating their sites to the latest patched version of the plugin to stay protected from potential attacks.
Let us know your thoughts in the comments.