KingComposer fixes a reflected XSS impacting 100,000 WordPress sites

An XSS vulnerability in the KingComposer page builder for WordPress impacts 100,000 websites using the WordPress plugin.

Researchers at Wordfence Threat Intelligence team discovered a reflected cross-site scripting (XSS) vulnerability, tracked as CVE-2020-15299, in the KingComposer WordPress plugin that potentially impacts 100,000 websites.

KingComposer a fast drag-and-drop page builder for WordPress websites, which comes complete with top-notch features embedded and a truly intuitive UI.

The vulnerability resides in Ajax functions used by the plugin to implement page builder features.

KingComposer is a WordPress plugin that allows Drag and Drop page building, and it registers a number of AJAX actions to accomplish this

One of the Ajax functions registered by KingComposer was no longer actively used, but could still be used by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset.

“One of these AJAX actions was no longer actively used by the plugin, but could still be used by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset.” reads the analysis published by Wordfence. “As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser.”

The Wordfence Threat Intelligence team discovered the XSS bug on June 25.

To exploit the vulnerability, the attacker has to trick the victim into clicking a specially crafted link.

Below the timeline of the vulnerability:

June 15, 2020 – The Wordfence Threat Intelligence team discovers an unpatched vulnerability while investigating newly patched vulnerabilities in the KingComposer plugin. We release a firewall rule covering both the patched and unpatched vulnerabilities to our Premium users.
June 16, 2020 – We attempt to contact the developers of the KingComposer plugin.
June 25, 2020 – We contact the WordPress Plugins team about the vulnerability.
June 26, 2020 – The WordPress Plugins team responds and indicates that they are in touch with the developers of the KingComposer plugin.
June 29, 2020 – Patched version of KingComposer is released.
July 15, 2020 – Firewall rule becomes available to Wordfence Free users.

This vulnerability has been addressed with the release of the version 2.9.5.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.