KingComposer plugin for WordPress Cross Site Scripting

Strike ID:
E20-9w031
CVSS:
6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
False Positive:
f
Variants:
1
Year:
2020

Description

This strike exploits a reflected cross-site scripting vulnerability in KingComposer plugin through 2.9.4 for WordPress. The vulnerability takes advantage of kc-online-preset-data parameter to send base64 encoded Javascript. A remote, unauthenticated attacker can exploit this vulnerability by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset. As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing the payload in the kc-online-preset-data parameter, that malicious payload would be decoded and executed in the victim's browser.

CVE

References