The KingComposer WordPress plugin has been found to contain several vulnerabilities that could lead to access control over compromised sites. The plugin has been installed on more than 100,000 sites. During their investigation, Wordfence researchers discovered an unpatched reflected cross-site scripting (XSS) flaw in the KingComposer plugin, identified as CVE-2020-15299.
Shortly after the discovery of the vulnerability, the researchers tried to contact the plugin’s developers. However, they didn’t receive a response in nice subsequent days, so they contacted the WordPress Plugins team. “The WordPress Plugins team replied the next day and let us know that they were in touch with the developers of the KingComposer plugin, and a patch was released on June 29, 2020,” Wordfence’s report says.
What is a Reflected Cross-Site Scripting (XSS) vulnerability?
Wordfence researchers recently detected a 30-times increase in specific attacks, called cross-site scripting. XSS attacks can be described as a type of injection, in which malicious scripts are injected into trusted websites. Another type of popular attacks against WordPress sites are Cross-Site Request Forgery (CSRF) attacks, where an attacker can trick a victim into clicking a specially crafted link in order to make changes to a site.
So, what would a reflected XSS attack be?
Reflected XSS vulnerabilities have characteristics of both of these vulnerabilities. Much like a CSRF attack, exploiting a Reflected XSS vulnerability usually relies on an attacker tricking their victim into clicking a malicious link which sends the victim to the vulnerable site along with a malicious payload. This can be done in a number of ways, but it is common to first link to an intermediate site controlled by the attacker, which then sends a request containing a malicious payload to the vulnerable site on behalf of the victim.
More details about the vulnerable KingComposer plugin
As already mentioned, the plugin has been found to contain a Reflected Cross-Site Scripting (XSS) vulnerability – CVE-2020-15299. More specifically, vulnerable is the KingComposer – Free Drag and Drop page builder by King-Theme. Versions affected by the issue include versions earlier than 2.9.5. In other words, users should upgrade their plugins to the latest version which is 2.9.5.
KingComposer is a WordPress plugin which has been created for Drag and Drop page building. The plugin registers a number of AJAX actions to accomplish this purpose. “One of these AJAX actions was no longer actively used by the plugin, but could still be used by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset,” Wordfence said.