CVE-2020-15299 in kingcomposer Plugin
Summary
by MITRE
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is executed in the victim's browser.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/10/2020
The vulnerability CVE-2020-15299 represents a critical reflected cross-site scripting flaw within the KingComposer plugin version 2.9.4 and earlier, affecting WordPress installations. This vulnerability resides in the plugin's handling of AJAX requests, specifically the install_online_preset endpoint which processes base64-encoded JavaScript payloads through the kc-online-preset-data POST parameter. The flaw enables attackers to execute malicious scripts in the context of a victim's browser, leveraging the trust relationship between the user and the vulnerable website.
The technical implementation of this vulnerability follows a classic reflected XSS pattern where malicious input is accepted through a web application's input fields and then reflected back to the user without proper sanitization or encoding. In this case, the KingComposer plugin fails to adequately validate or escape the kc-online-preset-data parameter, allowing attackers to inject arbitrary JavaScript code that gets executed when the victim accesses the affected page. The use of base64 encoding in the payload suggests an attempt to obfuscate the malicious content, though this technique is easily bypassed by modern security mechanisms.
From an operational perspective, this vulnerability poses significant risks to WordPress administrators and end-users who may be tricked into executing malicious payloads through social engineering attacks or by visiting compromised websites. The attack vector typically involves sending crafted links or embedding malicious content in legitimate-looking communications that prompt victims to submit the specially crafted AJAX request. When executed, the injected JavaScript can perform various malicious activities including session hijacking, credential theft, defacement of the website, or redirection to malicious sites.
The impact of this vulnerability extends beyond simple XSS exploitation as it can serve as a stepping stone for more sophisticated attacks within the compromised environment. According to the ATT&CK framework, this vulnerability maps to T1059.007 (Scripting) and T1566 (Phishing) techniques, as attackers can leverage the reflected XSS to execute malicious scripts and conduct phishing campaigns. The CWE classification for this vulnerability aligns with CWE-79 (Improper Neutralization of Input During Web Page Generation), which specifically addresses the failure to properly sanitize user input before including it in web pages. Organizations using KingComposer plugin versions prior to 2.9.5 should immediately implement mitigation strategies including input validation, output encoding, and security headers to prevent exploitation.
The remediation approach for this vulnerability requires immediate patching of the KingComposer plugin to version 2.9.5 or later, which includes proper input validation and sanitization measures. Additionally, implementing Content Security Policy headers can provide an additional layer of protection by restricting the sources from which scripts can be executed. Security measures should also include monitoring for suspicious AJAX requests and implementing web application firewalls to detect and block malicious payloads attempting to exploit this vulnerability. Organizations should conduct thorough security assessments of their WordPress installations to identify any other potentially vulnerable plugins or themes that may be susceptible to similar reflected XSS attacks.