KingComposer patches XSS flaw impacting 100,000 WordPress websites

The vulnerability could be exploited to execute malicious payloads in visitor browsers.
Written by Charlie Osborne, Contributing Writer

A reflected cross-site scripting (XSS) vulnerability impacting 100,000 websites has been patched in the KingComposer WordPress plugin. 

Also: Best web hosting services

KingComposer is a drag-and-drop page builder for WordPress-based domains that removes the need to program or directly code websites powered by the content management system (CMS). 

See also: Researchers connect Evilnum hacking group to cyberattacks against Fintech firms

The Wordfence Threat Intelligence team discovered the XSS bug on June 25. Tracked as CVE-2020-15299 and issued a severity score of 6.1, the security flaw was found in Ajax functions used by the plugin to facilitate page builder features. 

One of the Ajax functions was not in active use but could still be launched by sending a POST request to a script called admin-ajax.php with an action parameter set to kc_install_online_preset.

The function renders JavaScript across a variety of parameters that are then base64-decoded. 

"As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim's browser," the researchers say. 

CNET: China aims to dominate everything from 5G to social media -- but will it?

Reflected XSS vulnerabilities rely on a victim to perform a particular action to trigger an attack. This can be achieved by serving malicious links that need to be clicked on, for example, and if successful, could lead to browser session hijacking or malware download and execution. 

The Wordfence Threat Intelligence team attempted to contact the developers of the plugin a day after their discovery. However, there was no response, leading to the team reaching out directly to the WordPress Plugins team on June 25. By June 26, contact was made with the KingComposer developers and a patched version of the plugin, version 2.9.5, was released on June 29. 

TechRepublic: Highest-paying tech jobs: Where to find them

The security issue was resolved by removing the vulnerable, and obsolete, Ajax function.

At the time of writing, 62.1% of users have updated to version 2.9.5, and so 37.9% of websites with KingComposer enabled are still at risk of exploit.  

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards