Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

KingComposer fixes a reflected XSS impacting 100,000 WordPress sites

An XSS vulnerability in the KingComposer page builder for WordPress impacts 100,000 websites using the WordPress plugin.  Researchers at Wordfence Threat Intelligence team discovered a reflected cross-site scripting (XSS) vulnerability, tracked as CVE-2020-15299, in the KingComposer WordPress plugin that potentially impacts 100,000 websites.  KingComposer a fast drag-and-drop page builder for WordPress websites, which comes complete with top-notch features embedded and […]

ShapedPlugin plugin

An XSS vulnerability in the KingComposer page builder for WordPress impacts 100,000 websites using the WordPress plugin. 

Researchers at Wordfence Threat Intelligence team discovered a reflected cross-site scripting (XSS) vulnerability, tracked as CVE-2020-15299, in the KingComposer WordPress plugin that potentially impacts 100,000 websites. 

KingComposer a fast drag-and-drop page builder for WordPress websites, which comes complete with top-notch features embedded and a truly intuitive UI.

The vulnerability resides in Ajax functions used by the plugin to implement page builder features.

KingComposer is a WordPress plugin that allows Drag and Drop page building, and it registers a number of AJAX actions to accomplish this

One of the Ajax functions registered by KingComposer was no longer actively used, but could still be used by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset.

“One of these AJAX actions was no longer actively used by the plugin, but could still be used by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset.” reads the analysis published by Wordfence. “As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser.”

The Wordfence Threat Intelligence team discovered the XSS bug on June 25.

To exploit the vulnerability, the attacker has to trick the victim into clicking a specially crafted link.

Below the timeline of the vulnerability:

  • June 15, 2020 – The Wordfence Threat Intelligence team discovers an unpatched vulnerability while investigating newly patched vulnerabilities in the KingComposer plugin. We release a firewall rule covering both the patched and unpatched vulnerabilities to our Premium users.
  • June 16, 2020 – We attempt to contact the developers of the KingComposer plugin.
  • June 25, 2020 – We contact the WordPress Plugins team about the vulnerability.
  • June 26, 2020 – The WordPress Plugins team responds and indicates that they are in touch with the developers of the KingComposer plugin.
  • June 29, 2020 – Patched version of KingComposer is released.
  • July 15, 2020 – Firewall rule becomes available to Wordfence Free users.

This vulnerability has been addressed with the release of the version 2.9.5.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]