Researchers connect Evilnum hacking group to cyberattacks against Fintech firms
The Wordfence Threat Intelligence team discovered the XSS bug on June 25. Tracked as CVE-2020-15299 and issued a severity score of 6.1, the security flaw was found in Ajax functions used by the plugin to facilitate page builder features.
One of the Ajax functions was not in active use but could still be launched by sending a POST request to a script called admin-ajax.php with an action parameter set to kc_install_online_preset.
The function renders JavaScript across a variety of parameters that are then base64-decoded.
“As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser,” the researchers say.
CNET: China aims to dominate everything from 5G to social media — but will it?
Reflected XSS vulnerabilities rely on a victim to perform a particular action to trigger an attack. This can be achieved by serving malicious links that need to be clicked on, for example, and if successful, could lead to browser session hijacking or malware download and execution.
The Wordfence Threat Intelligence team attempted to contact the developers of the plugin a day after their discovery. However, there was no response, leading to the team reaching out directly to the WordPress Plugins team on June 25. By June 26, contact was made with the KingComposer developers and a patched version of the plugin, version 2.9.5, was released on June 29.
TechRepublic: Highest-paying tech jobs: Where to find them
The security issue was resolved by removing the vulnerable, and obsolete, Ajax function.
At the time of writing, 62.1% of users have updated to version 2.9.5, and so 37.9% of websites with KingComposer enabled are still at risk of exploit.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
