KingComposer patches XSS flaw impacting 100,000 WordPress websites

The vulnerability could be exploited to execute malicious payloads in visitor browsers.
Written by Charlie Osborne, Contributing Writer on

A reflected cross-site scripting (XSS) vulnerability impacting 100,000 websites has been patched in the KingComposer WordPress plugin. 

Also: Best web hosting services

KingComposer is a drag-and-drop page builder for WordPress-based domains that removes the need to program or directly code websites powered by the content management system (CMS). 

See also: Researchers connect Evilnum hacking group to cyberattacks against Fintech firms

The Wordfence Threat Intelligence team discovered the XSS bug on June 25. Tracked as CVE-2020-15299 and issued a severity score of 6.1, the security flaw was found in Ajax functions used by the plugin to facilitate page builder features. 

One of the Ajax functions was not in active use but could still be launched by sending a POST request to a script called admin-ajax.php with an action parameter set to kc_install_online_preset.

The function renders JavaScript across a variety of parameters that are then base64-decoded. 

"As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim's browser," the researchers say. 

CNET: China aims to dominate everything from 5G to social media -- but will it?

Reflected XSS vulnerabilities rely on a victim to perform a particular action to trigger an attack. This can be achieved by serving malicious links that need to be clicked on, for example, and if successful, could lead to browser session hijacking or malware download and execution. 

The Wordfence Threat Intelligence team attempted to contact the developers of the plugin a day after their discovery. However, there was no response, leading to the team reaching out directly to the WordPress Plugins team on June 25. By June 26, contact was made with the KingComposer developers and a patched version of the plugin, version 2.9.5, was released on June 29. 

TechRepublic: Highest-paying tech jobs: Where to find them

The security issue was resolved by removing the vulnerable, and obsolete, Ajax function.

At the time of writing, 62.1% of users have updated to version 2.9.5, and so 37.9% of websites with KingComposer enabled are still at risk of exploit.  

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


The 5 best 8K TVs of 2022: Future-proof your home theater

The 5 best 8K TVs of 2022: Future-proof your home theater

What's a bachelor of science degree, and why should I consider it?
A black college student raises her hand in a classroom.

What's a bachelor of science degree, and why should I consider it?

The 5 best rugged tablets of 2022
A woman in a hardhat and coveralls using an Acer Enduro T1 tablet on a construction site.

The 5 best rugged tablets of 2022