WordPress Plugin Vulnerabilities

KingComposer <= 2.9.6 - Subscriber+ Stored Cross-Site Scripting

Description

The plugin does not have authorisation, CSRF and sanitisation/escaping when creating profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in them

Proof of Concept

Affects Plugins

Plugin icon
kingcomposer
No known fix

References

CVE
CVE-2021-25048

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
5687e5db-d987-416d-a7f4-036cce4d56cb

Timeline

Publicly Published
2022-03-14 (about 3 years ago)
Added
2022-03-14 (about 3 years ago)
Last Updated
2022-04-11 (about 3 years ago)

Other

Published
Title
Published
2025-10-21
Title
Simple Youtube Shortcode <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-09-22
Title
Image Editor by Pixo <= 2.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-06-05
Title
Universal Video Player <= 3.8.3 - Reflected Cross-Site Scripting
Published
2016-11-10
Title
WP Google Maps <= 6.3.14 - Authenticated Stored Cross-Site Scripting (XSS) via CSRF
Published
2024-04-16
Title
App Builder < 3.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode