Another vulnerable WordPress plugin has come to light. This time, the vulnerability appeared in the KingComposer WordPress plugin. It potentially affected over 100,000 websites.
KingComposer WordPress Plugin Vulnerability
Team Wordfence discovered the vulnerability of the WordPress plugin. In their discovery, they found a vulnerability in KingComposer Drag and Drop Page Builder WordPress plugin.
As stated in their post, the researchers found reflected cross-site scripting (XSS) vulnerability in the plugin. It existed because of an AJAX function not actively used but functional, from the other AJAX functions.
An attacker could exploit this function to sending a POST
request to wp-admin/admin-ajax.php
with the action parameter set to kc_install_online_preset
. In turn, the attacker could execute malware on the users’ browsers visiting the target website.
Stating how this would happen, Wordfence stated,
This function renders a JavaScript based on the contents of the
kc-online-preset-link
andkc-online-preset-data
parameters. Since it uses theesc_attr
andesc_url
functions, it appears safe at first glance. Unfortunately, however, the contents of thekc-online-preset-data
parameter are base64-decoded after this step.
As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in thekc-online-preset-data
parameter, the malicious payload would be decoded and executed in the victim’s browser.
Patched Rolled Out
The vulnerability affected all plugin versions before the patched version. The researchers found the bug in June 2020, after which, they reached out to the developers.
Following their report, the developers patched the vulnerability with the release of KingComposer – Free Drag and Drop page builder version 2.9.5. The patch includes the complete removal of the unused function from the code.
Hence, now that the patch is available, users must ensure updating their sites to the latest patched version of the plugin to stay protected from potential attacks.
Let us know your thoughts in the comments.