KingComposer 2.7.6 - Reflected XSS (WordPress Plugin)

• Vulnerability: XSS
• Affected Software: KingComposer (80,000+ active installations)
• Affected Version: 2.7.6
• Patched Version: none
• Risk: Medium
• Vendor Contacted: 10/25/2018
• Vendor Fix: none
• Public Disclosure: 02/05/2019

CVSS

6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

The KingComposer WordPress plugin is vulnerable to reflected XSS as it echoes the id parameter without proper encoding.

Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.

Proof of Concept

http://192.168.0.103/wordpress/wp-admin/admin.php?page=kc-mapper&id=<%2Fscript><script>alert(1)<%2Fscript>

Code

kingcomposer/includes/kc.actions.php:           
echo 'kc_post_ID = "'.$_GET['id'].'",';

Timeline

• 10/25/2018 Asked for email address via contact form
• 10/26/2018 Vendor responds
• 10/26/2018 sent advisory
• 11/01/2018 Vendor responds that they have strict testing in place, asks if it is certain that the issue exists
• 11/01/2018 Confirmed that the issue indeed exists
• 11/01/2018 unclear response from vendor
• 11/01/2018 asked for clarification & offered to explain issue further (no response)
• 02/05/2019 Disclosure