Recently, a critical threat has been discovered by the threat intelligence team of Wordfrence; this threat is a reflected cross-site scripting (XSS) vulnerability, that has been traced as CVE-2020-15299, in the KingComposer WordPress plugin.
According to security reports, this vulnerability has impacted nearly 100,000 websites, as the KingComposer is an active drag-and-drop page developer plugin for WordPress websites that evolves completely with top-notch features installed and an intuitive UI.
This vulnerability was discovered on June 25 and operates in the Ajax functions that are used by the plugin to complete page builder characteristics. However, one of the Ajax functions were not in current use, yet it can be installed by assigning a POST application to a script named admin-ajax.php with an operation parameter set to kc_install_online_preset.
Reflected Cross-Site Scripting (XSS)
- Affected Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
- Description: Reflected Cross-Site Scripting(XSS)
- Plugin Slug: kingcomposer
- Affected Versions: < 2.9.5
- CVE ID: CVE-2020-15299
- CVSS Score: 6.1(medium)
The reflected cross-site scripting XSS vulnerabilities have both features of XXSS and CSRF. Like a CSRF initiative, using a reflected XSS vulnerability typically depends on the attacker deceiving their victim into agreeing with a malicious link that sends the victim to the unsafe site with a malicious payload.
This procedure can be done in several ways, but, still, it is prevalent to go with the first link to an average site that is managed by the threat actors, once they get control over the website they send a request that contains a malicious payload to the vulnerable site on behalf of the victim.
Measures to Avoid This Security Flaw
- Personal home users can run or install anti-virus in their devices to avoid vulnerability.
- Office users or if the users are operating through a shared network, then the user can ask the network administrator to do a scan across the network looking for misconfigured or contaminated devices.
- There is another way that will help you to prevent this kind of vulnerability, download the version 2.0 now from the Chrome Web Store.
According to the security report of the threat intelligence team of Wordfrence, this XSS vulnerability has been thoroughly covered in version 2.9.5. So, they strongly suggest the user update their existing version to the latest one as soon as possible.
Since June 15, 2020, the sites running Wordfence Premium have been guarded against this vulnerability, as well as the earlier vulnerabilities in the KingComposer plugin.