CVE-2020-36701 in KingComposer Plugin
Summary
by MITRE • 06/07/2023
The Page Builder: KingComposer plugin for WordPress is vulnerable to Arbitrary File Uploads in versions up to, and including, 2.9.3 via the 'process_bulk_action' function in the 'kingcomposer/includes/kc.extensions.php' file. This makes it possible for authenticated users with author level permissions and above to upload arbitrary files onto the server which can be used to execute code on the server.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2020-36701 affects the Page Builder: KingComposer plugin for WordPress, specifically targeting versions up to and including 2.9.3. This represents a critical security flaw that exploits the 'process_bulk_action' function within the 'kingcomposer/includes/kc.extensions.php' file, creating a pathway for malicious file uploads that could lead to complete system compromise. The vulnerability exists due to insufficient validation and sanitization of file upload parameters, allowing authenticated users with at least author-level permissions to bypass normal security controls.
The technical exploitation of this vulnerability occurs through the improper handling of bulk action processing within the plugin's extension management system. When authenticated users with author privileges attempt to perform bulk actions, the 'process_bulk_action' function fails to properly validate file types and content, enabling attackers to upload malicious files such as php shells or web shells. This flaw directly maps to CWE-434, which describes the weakness of allowing untrusted data to be uploaded to a web application, and represents a classic path to remote code execution through file upload vulnerabilities. The vulnerability is particularly concerning because it requires only author-level permissions, which are commonly granted to content creators and contributors in WordPress environments.
The operational impact of this vulnerability extends beyond simple file uploads, as it provides attackers with the capability to execute arbitrary code on the affected WordPress server. Once a malicious file is successfully uploaded, attackers can establish persistent access to the system, potentially leading to data exfiltration, service disruption, or use of the compromised server for further attacks. The vulnerability affects the core functionality of the WordPress platform by allowing unauthorized code execution within the web server context, which can result in complete compromise of the hosting environment. This aligns with ATT&CK technique T1190, which describes the use of vulnerabilities in web applications to gain initial access and establish persistence.
Organizations using the KingComposer plugin must immediately implement mitigations including updating to the patched version of the plugin, implementing strict file upload validation, and restricting user permissions to minimize the attack surface. Network-based mitigations such as web application firewalls can help detect and block malicious upload attempts, while monitoring systems should be configured to alert on unusual file upload activities. The vulnerability demonstrates the importance of proper input validation and the principle of least privilege in web application security, as it shows how a single flawed function can provide attackers with dangerous capabilities within the WordPress ecosystem. Regular security audits and vulnerability assessments should be conducted to identify similar weaknesses in other plugins and themes, as this vulnerability type remains prevalent in content management systems due to inadequate file handling practices and insufficient security controls.