CVE-2022-0165 in Page Builder KingComposer Plugin
Summary
by MITRE • 03/14/2022
The Page Builder KingComposer WordPress plugin through 2.9.6 does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action available to both unauthenticated and authenticated users
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/16/2022
The vulnerability identified as CVE-2022-0165 resides within the Page Builder KingComposer WordPress plugin version 2.9.6 and earlier, representing a critical security flaw that enables unauthorized redirection attacks. This issue specifically affects the kc_get_thumbn AJAX action endpoint which is accessible to both unauthenticated and authenticated users, creating a significant attack surface that can be exploited without requiring valid credentials or administrative privileges. The vulnerability stems from the plugin's failure to properly validate the id parameter before utilizing it in a redirect operation, allowing attackers to manipulate the redirect target through malicious input.
The technical flaw manifests in the lack of input validation for the id parameter within the kc_get_thumbn AJAX handler, which operates under the principle of insufficient validation or sanitization. This weakness directly maps to CWE-20, which describes improper input validation, and more specifically aligns with CWE-601, URL Redirection to Untrusted Site ('Open Redirect') when the vulnerable parameter is used to construct redirect URLs. The vulnerability allows an attacker to craft a malicious request that includes a crafted id parameter containing a URL pointing to an external domain, potentially leading to phishing attacks, credential theft, or malicious payload delivery. The fact that this endpoint is accessible to unauthenticated users amplifies the threat, as it eliminates the need for prior access or authentication to exploit the vulnerability.
The operational impact of this vulnerability extends beyond simple redirection, as it can be leveraged as a stepping stone for more sophisticated attacks within the context of WordPress environments. Attackers can use this vulnerability to redirect users to malicious domains that may host phishing pages designed to capture login credentials or install malware. The vulnerability affects all WordPress installations using the affected plugin version, regardless of user authentication status, making it particularly dangerous in multi-user environments where legitimate users might be tricked into following malicious links. The open redirect behavior can also be chained with other vulnerabilities to create more complex attack vectors, potentially enabling attackers to bypass security controls or escalate privileges within the WordPress ecosystem.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1566.001 which covers "Phishing: Spearphishing Attachment" and T1566.002 which covers "Phishing: Spearphishing Link", as the open redirect can be used to deliver malicious links that appear legitimate to users. The vulnerability can be exploited through simple HTTP requests targeting the AJAX endpoint, making it accessible to attackers with minimal technical expertise. Security mitigations should include immediate plugin updates to versions that properly validate the id parameter before redirect operations, implementing input sanitization measures, and restricting access to AJAX endpoints through proper authentication checks. Organizations should also consider implementing network-level protections such as web application firewalls that can detect and block suspicious redirect patterns, as well as monitoring for anomalous redirect behavior in their WordPress installations to identify potential exploitation attempts.