Researchers from the Wordfence Threat Intelligence team discovered a reflected cross-site scripting (XSS) bug in the KingComposer WordPress plugin. The vulnerability was discovered on June 25^th and was assigned ID CVE-2020-15299, but it had already impacted over 100,000 sites prior to being found. The flaw exists in Ajax functions used by the plugin to facilitate page builder features and received a severity score of 6.1. A POST request could be sent to the admin-ajax.php script with an action parameter set to kc_install_online_preset in an effort to launch the inactive Ajax function. Calling this function would render JavaScript across multiple parameters that are then base64-decoded. Researchers from Wordfence stated, “As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser.” Contact was made with the developers shortly after the discovery of the vulnerability and a patch was released on June 29^th.