computer Security

XSS Flaw Impacting 100,000 WordPress Sites – Update Now!!

Recently, a critical threat has been discovered by the threat intelligence team of Wordfrence; this threat is a reflected cross-site scripting (XSS) vulnerability, that has been traced as CVE-2020-15299, in the KingComposer WordPress plugin.

According to security reports, this vulnerability has impacted nearly 100,000 websites, as the KingComposer is an active drag-and-drop page developer plugin for WordPress websites that evolves completely with top-notch features installed and an intuitive UI.

This vulnerability was discovered on June 25 and operates in the Ajax functions that are used by the plugin to complete page builder characteristics. However, one of the Ajax functions were not in current use, yet it can be installed by assigning a POST application to a script named admin-ajax.php with an operation parameter set to kc_install_online_preset.

Reflected Cross-Site Scripting (XSS)

  • Affected Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
  • Description: Reflected Cross-Site Scripting(XSS)
  • Plugin Slug: kingcomposer
  • Affected Versions: < 2.9.5
  • CVE ID: CVE-2020-15299
  • CVSS Score: 6.1(medium)

The reflected cross-site scripting XSS vulnerabilities have both features of XXSS and CSRF. Like a CSRF initiative, using a reflected XSS vulnerability typically depends on the attacker deceiving their victim into agreeing with a malicious link that sends the victim to the unsafe site with a malicious payload. 

This procedure can be done in several ways, but, still, it is prevalent to go with the first link to an average site that is managed by the threat actors, once they get control over the website they send a request that contains a malicious payload to the vulnerable site on behalf of the victim.

If the XSS attacks are stored, the malicious payload will be administered in the victim’s browser. But in the case of reflected XSS, the vulnerable site would quickly output, or we can say that it will reflect the malicious JavaScript payload that would be administered in a single time in the victim’s browser instead of being collected in the database for later accomplishment.

Measures to Avoid This Security Flaw

  • Personal home users can run or install anti-virus in their devices to avoid vulnerability.
  • Office users or if the users are operating through a shared network, then the user can ask the network administrator to do a scan across the network looking for misconfigured or contaminated devices.
  • There is another way that will help you to prevent this kind of vulnerability, download the version 2.0 now from the Chrome Web Store.

According to the security report of the threat intelligence team of Wordfrence, this XSS vulnerability has been thoroughly covered in version 2.9.5. So, they strongly suggest the user update their existing version to the latest one as soon as possible.

Since June 15, 2020, the sites running Wordfence Premium have been guarded against this vulnerability, as well as the earlier vulnerabilities in the KingComposer plugin.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Top 10 Vulnerability Assessment and Penetration Testing (VAPT) Tools 2020

Cisco Webex Meetings Flaw Let Hackers to Gain Access to Sensitive Information on Vulnerable System

Zoom Suddenly Announced End-to-End Encryption for Free Users

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

12 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

16 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

17 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

18 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

19 hours ago