WordPress Plugin Vulnerabilities

KingComposer - Reflected Cross-Site Scripting

Description

The Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme WordPress plugin was affected by a Reflected Cross-Site Scripting security vulnerability.

Affects Plugins

Plugin icon
kingcomposer
Fixed in 2.8.1

References

CVE
CVE-2019-9910
URL
https://security-consulting.icu/blog/2019/02/wordpress-kingcomposer-xss/
URL
https://lists.openwall.net/full-disclosure/2019/02/05/11

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Tim Coen
Submitter
Ryan Dewhurst
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
cceefe97-6de6-4755-a4f0-5977a243cd95

Timeline

Publicly Published
2019-02-05 (about 7 years ago)
Added
2019-03-22 (about 7 years ago)
Last Updated
2020-07-09 (about 5 years ago)

Other

Published
Title
Published
2024-11-28
Title
소셜 공유 버튼 By 코스모스팜 <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-01
Title
Beds24 Online Booking < 2.0.28 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-22
Title
GutenKit < 2.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-06-19
Title
Related Products Manager for WooCommerce < 1.6.3 - Contributor+ Stored XSS
Published
2025-07-07
Title
Lightbox & Modal Popup WordPress Plugin – FooBox < 2.7.35 - Authenticated (Author+) Stored Cross-Site Scripting