KingComposer fixes an XSS flaw affecting 100,000 WordPress sites

KingComposer fixes an XSS flaw affecting 100,000 WordPress sites Cybersecurity

A XSS (Reflect Cross-Site Scripting) vulnerability affecting 100,000 websites has been fixed in the WordPress plugin of KingComposer.

KingComposer is a drag-and-drop page generator for WordPress-based websites that eliminates the need to directly program or code websites powered by the famous content management system (CMS).

The Wordfence Threat Intelligence team discovered the XSS bug on June 25. Followed under the name of CVE-2020-15299 and having obtained a severity score of 6.1, the security flaw was found in the Ajax functions used by the plugin to facilitate the page creation functions.

37.9% of sites still in danger

One of the Ajax functions was not in use but could still be launched by sending a POST request to a script called admin-ajax.php with an action parameter set to kc_install_online_preset. The function renders JavaScript through a variety of parameters which are then decoded in base64.

“Thus, if an attacker used base64 encoding on a malicious payload, and deceived a victim by sending him a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser, “say the researchers.

XSS vulnerabilities are based on the fact that a victim performs a specific action to trigger an attack. This can be done by sending malicious clickable links, for example, which, if successful, could lead to browser hijacking or the downloading and execution of malware.

The Wordfence Threat Intelligence team attempted to contact the developers of the plugin one day after their discovery. However, there was no response, which led the team to contact the WordPress plugin team directly on June 25. On June 26, contact was made with the developers of KingComposer and a corrected version of the plugin, version 2.9.5, was released on June 29. The security issue was resolved by removing the vulnerable and outdated Ajax feature.

At the time of writing, 62.1% of users have upgraded to version 2.9.5, and 37.9% of websites where KingComposer is enabled are therefore still at risk of being exploited.



Rate article