Monday, April 19, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

KingComposer patches XSS flaw impacting 100,000 WordPress websites

July 10, 2020
in Internet Security
KingComposer patches XSS flaw impacting 100,000 WordPress websites
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

A reflected cross-site scripting (XSS) vulnerability impacting 100,000 websites has been patched in the KingComposer WordPress plugin. 

KingComposer is a drag-and-drop page builder for WordPress-based domains that removes the need to program or directly code websites powered by the content management system (CMS). 

You might also like

Security crucial as 5G connects more industries, devices

Google releases Chrome 90 with HTTPS by default and security fixes

SolarWinds: US and UK blame Russian intelligence service hackers for major cyberattack

See also: Researchers connect Evilnum hacking group to cyberattacks against Fintech firms

The Wordfence Threat Intelligence team discovered the XSS bug on June 25. Tracked as CVE-2020-15299 and issued a severity score of 6.1, the security flaw was found in Ajax functions used by the plugin to facilitate page builder features. 

One of the Ajax functions was not in active use but could still be launched by sending a POST request to a script called admin-ajax.php with an action parameter set to kc_install_online_preset.

The function renders JavaScript across a variety of parameters that are then base64-decoded. 

“As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser,” the researchers say. 

CNET: China aims to dominate everything from 5G to social media — but will it?

Reflected XSS vulnerabilities rely on a victim to perform a particular action to trigger an attack. This can be achieved by serving malicious links that need to be clicked on, for example, and if successful, could lead to browser session hijacking or malware download and execution. 

The Wordfence Threat Intelligence team attempted to contact the developers of the plugin a day after their discovery. However, there was no response, leading to the team reaching out directly to the WordPress Plugins team on June 25. By June 26, contact was made with the KingComposer developers and a patched version of the plugin, version 2.9.5, was released on June 29. 

TechRepublic: Highest-paying tech jobs: Where to find them

The security issue was resolved by removing the vulnerable, and obsolete, Ajax function.

At the time of writing, 62.1% of users have updated to version 2.9.5, and so 37.9% of websites with KingComposer enabled are still at risk of exploit.  

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Credit: Zdnet

Previous Post

Building a Deep-Learning-Based Movie Recommender System

Next Post

HHLA to predict container dwell time with machine learning solutions

Related Posts

Security crucial as 5G connects more industries, devices
Internet Security

Security crucial as 5G connects more industries, devices

April 17, 2021
Google releases Chrome 90 with HTTPS by default and security fixes
Internet Security

Google releases Chrome 90 with HTTPS by default and security fixes

April 17, 2021
SolarWinds cybersecurity spending tops $3 million in Q4, sees $20 million to $25 million in 2021
Internet Security

SolarWinds: US and UK blame Russian intelligence service hackers for major cyberattack

April 17, 2021
Google Project Zero testing 30-day grace period on bug details to boost user patching
Internet Security

Google Project Zero testing 30-day grace period on bug details to boost user patching

April 17, 2021
Cyberattack on UK university knocks out online learning, Teams and Zoom
Internet Security

Cyberattack on UK university knocks out online learning, Teams and Zoom

April 17, 2021
Next Post
HHLA to predict container dwell time with machine learning solutions

HHLA to predict container dwell time with machine learning solutions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Machine Learning Helps Optimize Therapeutic Antibodies
Machine Learning

Machine Learning Helps Optimize Therapeutic Antibodies

April 18, 2021
Researchers at MIT DAI Lab Have Recently Built Cardea: A Machine Learning Framework That Turns Health Care Data Into Insights
Machine Learning

Researchers at MIT DAI Lab Have Recently Built Cardea: A Machine Learning Framework That Turns Health Care Data Into Insights

April 18, 2021
Automating Drug Discovery With Machine Learning
Machine Learning

Automating Drug Discovery With Machine Learning

April 18, 2021
Twitter aims to fight bias by examining its own machine learning algorithms
Machine Learning

Twitter aims to fight bias by examining its own machine learning algorithms

April 18, 2021
Make Machine Learning Interpretable with Shapash
Machine Learning

Make Machine Learning Interpretable with Shapash

April 18, 2021
Why the Patent Classification System Needs an Update
Machine Learning

Why the Patent Classification System Needs an Update

April 18, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Machine Learning Helps Optimize Therapeutic Antibodies April 18, 2021
  • Researchers at MIT DAI Lab Have Recently Built Cardea: A Machine Learning Framework That Turns Health Care Data Into Insights April 18, 2021
  • Automating Drug Discovery With Machine Learning April 18, 2021
  • Twitter aims to fight bias by examining its own machine learning algorithms April 18, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates