KingComposer fixes an XSS flaw affecting 100,000 WordPress sites 2020

XSS Flaw Impacting 100,000 Sites Patched in KingComposer

A XSS (Reflect Cross-Site Scripting) vulnerability affecting 100,000 websites was fixed in Kingcomposer’s Wordpress plugin.

Kingcomposer is a drag-and-drop page generator for Wordpress-based websites that removes the need to directly program or code websites powered by the famous Content Management System (CMS).

The Wordfence Threat Intelligence team discovered the XSS bug on June 25. Followed under the name of CVE-2020-15299 and having obtained a gravity score of 6.1, the security flaw was found in the Ajax functions used by the plugin to facilitate the page creation functions.

37.9% of sites still in danger

One of the Ajax functions was not in use but could still be started by sending a POST request to a script called admin-ajax.php with an action parameter set to kc_install_online_preset. The function renders Javascript through a variety of parameters which are then decoded into base64.

So, if an attacker was using base64 encoding on a malicious payload, and cheated a victim by sending him a request containing that payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser,” the researchers said.

XSS vulnerabilities are based on the fact that a victim performs a particular action to trigger an attack. This can be achieved by sending malicious links that need to be clicked on, for example, and that, if successful, could lead to browser hijacking or downloading and running malware.

XSS Flaw Impacting 100,000 Sites Patched in KingComposer

The team of Wordfence Threat Intelligence tried to contact the developers of the plugin one day after their discovery. However, there was no response, which led the team to contact the Wordpress plugins team directly on June 25. On June 26, a contact was made with the developers of Kingcomposer and a corrected version of the plugin, version 2.9.5, was released on June 29. The security problem was solved by removing the vulnerable and outdated Ajax function.

At the time of writing this article, 62.1% of users have updated to version 2.9.5, and 37.9% of websites where Kingcomposer is enabled are therefore still at risk of being used.