As stated in their post, the researchers found reflected cross-site scripting (XSS) vulnerability in the plugin. It existed because of an AJAX function not actively used but functional, from the other AJAX functions.
An attacker could exploit this function to sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset. In turn, the attacker could execute malware on the users’ browsers visiting the target website.
Stating how this would happen, Wordfence stated,
This function renders a JavaScript based on the contents of thekc-online-preset-linkandkc-online-preset-dataparameters. Since it uses theesc_attrandesc_urlfunctions, it appears safe at first glance. Unfortunately, however, the contents of thekc-online-preset-dataparameter are base64-decoded after this step. As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in thekc-online-preset-dataparameter, the malicious payload would be decoded and executed in the victim’s browser.
Following their report, the developers patched the vulnerability with the release of KingComposer – Free Drag and Drop page builder version 2.9.5. The patch includes the complete removal of the unused function from the code.
Hence, now that the patch is available, users must ensure updating their sites to the latest patched version of the plugin to stay protected from potential attacks.
Let us know your thoughts in the comments.
