Researchers from the Wordfence Threat Intelligence team discovered a reflected cross-site scripting (XSS) bug in the KingComposer WordPress plugin. The vulnerability was discovered on June 25th and was assigned ID CVE-2020-15299, but it had already impacted over 100,000 sites prior to being found. The flaw exists in Ajax functions used by the plugin to facilitate page builder features and received a severity score of 6.1. A POST request could be sent to the admin-ajax.php script with an action parameter set to kc_install_online_preset in an effort to launch the inactive Ajax function. Calling this function would render JavaScript across multiple parameters that are then base64-decoded. Researchers from Wordfence stated, “As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser.” Contact was made with the developers shortly after the discovery of the vulnerability and a patch was released on June 29th.
Analyst Notes
Anyone using the KingComposer plugin is advised to download the patched version, 2.9.5. According to ZDNet, approximately 37,000 sites using the KingComposer plugin have yet to install the patch. Leaving the vulnerability unpatched could eventually lead to browser session hijacking or malware download and execution. Exploiting a reflected XSS vulnerability requires tricking users into performing an action such as clicking a link, so website administrators should be especially wary of phishing email messages containing links to their own WordPress website.
Source: https://www.zdnet.com/article/kingcomposer-wordpress-plugin-patches-xss-flaw-impacting-100000-websites/
