XSS Vulnerability Found In KingComposer WordPress Plugin

Another vulnerable WordPress plugin has come to light. This time, the vulnerability appeared in the KingComposer WordPress plugin. It potentially affected over 100,000 websites.

KingComposer WordPress Plugin Vulnerability

Team Wordfence discovered the vulnerability of the WordPress plugin. In their discovery, they found a vulnerability in KingComposer Drag and Drop Page Builder WordPress plugin.

As stated in their post, the researchers found reflected cross-site scripting (XSS) vulnerability in the plugin. It existed because of an AJAX function not actively used but functional, from the other AJAX functions.

An attacker could exploit this function to sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset. In turn, the attacker could execute malware on the users’ browsers visiting the target website.

Stating how this would happen, Wordfence stated,

This function renders a JavaScript based on the contents of the kc-online-preset-link and kc-online-preset-data parameters. Since it uses the esc_attr and esc_url functions, it appears safe at first glance. Unfortunately, however, the contents of the kc-online-preset-data parameter are base64-decoded after this step.
As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser.

Patched Rolled Out

The vulnerability affected all plugin versions before the patched version. The researchers found the bug in June 2020, after which, they reached out to the developers.

Following their report, the developers patched the vulnerability with the release of KingComposer – Free Drag and Drop page builder version 2.9.5. The patch includes the complete removal of the unused function from the code.

Hence, now that the patch is available, users must ensure updating their sites to the latest patched version of the plugin to stay protected from potential attacks.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients