WordPress Plugin Vulnerabilities

KingComposer - Authenticated Stored XSS

Description

An user with the Contributor or Author privileges can inject arbitrary Javascript code in a KC section. When an admin or editor opens the malicious KC section the arbitrary JS code runs.

Affects Plugins

Plugin icon
kingcomposer
Fixed in 2.8.2

References

URL
https://twitter.com/evaristegal0is/status/1120693553976565762
URL
https://plugins.trac.wordpress.org/changeset/2073237/kingcomposer
URL
https://plugins.trac.wordpress.org/changeset/2073348/kingcomposer

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.4 (high)

Miscellaneous

Original Researcher
Luigi
Submitter
Luigi
Submitter website
https://www.gubello.me/blog/
Submitter twitter
@evaristegal0is
Verified
No
WPVDB ID
c1dd1881-fdf6-4dc6-81ca-c95aed2a7396

Timeline

Publicly Published
2019-04-23 (about 7 years ago)
Added
2019-04-30 (about 7 years ago)
Last Updated
2020-07-09 (about 5 years ago)

Other

Published
Title
Published
2021-12-06
Title
Multivendor Marketplace Solution for WooCommerce < 3.8.4 - Reflected Cross-Site Scripting
Published
2023-05-22
Title
Rank Math SEO PRO < 3.0.36 - Unauthenticated Reflected XSS
Published
2025-02-24
Title
Elementor Website Builder < 3.25.11 - Contributor+ Stored XSS
Published
2025-12-14
Title
Lightweight Accordion < 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-08-28
Title
Funnel Kit Funnel Builder PRO < 3.5.0 Authenticated(Contributor+) Stored Cross-Site Scripting via allow_iframe_tag_in_post