July 9

XSS Flaw Impacting 100,000 Sites Patched within KingComposer

WordPress Vulnerabilities


This post was originally published on this site

On June 15, 2020, our Threat Cleverness team was made alert to several access manage vulnerabilities that had been recently disclosed in KingComposer, the WordPress plugin installed upon over 100,000 websites. During our investigation of the vulnerabilities, we uncovered an unpatched reflected Cross-Web site Scripting(XSS) vulnerability.

Wordfence Premium clients received a fresh firewall rule exactly the same day, avoiding the newly patched accessibility control vulnerabilities and also the unpatched Cross-Web site Scripting vulnerability. Wordfence customers still utilizing the free edition will receive this principle after 1 month, on July 15, 2020.

We attempted to get in touch with the plugin’s designers the very next day, on June 16, 2020. Since we didn’t get a response after 9 times, we contacted the WordPress Plugins group on June 25, 2020. The WordPress Plugins group replied the very next day and tell us that they were touching the programmers of the KingComposer plugin, and a patch premiered on June 29, 2020.

What is definitely Reflected Cross-Web site Scripting(XSS)?

We’ve written numerous posts about Stored Cross-Web site Scripting(XSS) vulnerabilities during the past, and how they may be used to dominate a website if a good administrator accesses a full page on their web site containing the malicious JavaScript. We’ve also discussed Cross-Site Request Forgery(CSRF) assaults, where a good attacker can trick the victim into clicking the specially crafted link to make adjustments to a niche site.

Reflected XSS vulnerabilities have got characteristics of both these vulnerabilities. Similar to a CSRF strike, exploiting a Reflected XSS vulnerability generally depends on an attacker tricking their victim into clicking on a malicious hyperlink which sends the victim to the vulnerable web site plus a malicious payload. This could be done in several ways, nonetheless it is typical to first connect to an intermediate web site managed by the attacker, which in turn sends a request that contains a malicious payload to the vulnerable web site with respect to the victim.

A notable distinction between your stored XSS vulnerabilities additionally discovered and reflected XSS vulnerabilities like this, is that the malicious scripts which are used within the exploit aren’t actually stored any place in the data source with reflected XSS vulnerabilities. Instead, the malicious scripts are usually reflected and executed as soon as through the exploit.

Like with Stored XSS episodes, the malicious payload will undoubtedly be executed inside the victim’s web browser. Nevertheless, with reflected XSS, the vulnerable web site would immediately result (reflect) the malicious JavaScript payload, which may be executed an individual amount of time in the victim’s internet browser rather than being stored inside the data source for later execution.

This could be found in a number of attacks. For example, if the victim had been a logged-in administrator on the vulnerable web site, the reflected JavaScript could possibly be used to make a new, malicious administrator accounts managed by the attacker.

In purchase for reflected XSS assaults to successfully exploit the user, an attacker must trick an individual into performing an motion. Because of this, we highly recommend staying vigilant when simply clicking links or accessories in comments, emails, along with other communication sources if you don’t are certain of their integrity and legitimacy.

Explanation: Reflected Cross-Web site Scripting(XSS)
Affected Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Style
Plugin Slug: kingcomposer
Affected Variations: < 2.9.5
CVE ID: CVE-2020-15299
CVSS Rating: 6.1(moderate)
Fully Patched Version: 2.9.5

KingComposer is really a WordPress plugin which allows Drag and Fall page building, also it registers several AJAX actions to do this. One of these brilliant AJAX activities was no more actively utilized by the plugin, but could be used by delivering a Posting request to wp-admin/admin-ajax.php with the actions parameter place to kc_install_online_preset.

The vulnerable function:

	public functionality install_online_preset()

		$information = isset($_POST['kc-online-preset-information']) ? esc_attr($_Article['kc-online-preset-data']) : '';
		$web page link = isset($_POST['kc-online-preset-web page link']) ? esc_url($_Write-up['kc-online-preset-link']) : '';
		$link = str_replace( 'http://features.kingcomposer.com/', 'https://kingcomposer.com/presets/', $link);
		$callback = '
		<script type="textual content/javascript">
			best.kc.cfg.preset_hyperlink = "'.$link.'";
			top.kc.backbone.press(''.str_replace( "n", ''+"n"+'', base64_decode($information)).'');

		echo $callback;



This function renders a JavaScript in line with the contents of the kc-online-preset-web page link and kc-online-preset-data parameters. Because it uses the esc_attr and esc_url functions, it seems safe initially. Unfortunately, nevertheless, the contents of the kc-online-preset-data parameter are usually base64-decoded after this task.

As such, if a good attacker used base64-encoding on a malicious payload, and tricked a victim into sending a demand containing this payload in the kc-online-preset-data parameter, the malicious payload will be decoded and executed in the victim’s web browser. The patched edition of the plugin resolved the problem by detatching the vulnerable function completely.

Disclosure Timeline

June 15, 2020 – The Wordfence Threat Cleverness group discovers an unpatched vulnerability while investigating freshly patched vulnerabilities in the KingComposer plugin. We to push out a firewall guideline covering both patched and unpatched vulnerabilities to your Premium users.
June 16, 2020 – We try to contact the designers of the KingComposer plugin.
June 25, 2020 – We get in touch with the WordPress Plugins group concerning the vulnerability.
June 26, 2020 – The WordPress Plugins group responds and indicates they are touching the programmers of the KingComposer plugin.
June 29, 2020 – Patched edition of KingComposer is launched.
July 15, 2020 – Firewall principle becomes open to Wordfence Free customers.


Inside today’s post, we discussed a Reflected Cross-Web site Scripting(XSS) vulnerability inside the KingComposer WordPress plugin, and provided some history here is how Reflected XSS episodes work. This vulnerability provides been completely patched in edition 2.9.5 and we strongly suggest updating to the version immediately. Websites running Wordfence Premium have already been protected from this vulnerability, along with older vulnerabilities inside the KingComposer plugin, since June 15, 2020. Websites still utilizing the free edition of Wordfence will have the firewall rule upgrade on July 15, 2020.

The post XSS Flaw Impacting 100,000 Sites Patched in KingComposer appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

WordPress Hardening: 18 Methods to Harden Security of one’s Website
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!