100,000 WordPress sites affected due to XSS in plugin

100,000 WordPress sites affected due to XSS in plugin

Daniel Kebbe's photo
Daniel Kebbe

Published on Sep 8, 2020

11 min read

Nearly 1 million WordPress sites are being hit by a single threat actor attempting to inject a redirect into the sites by exploiting a cross-site scripting..

The attacks were discovered by a Threat Intelligence Team, which noted that since April 28 the number of XSS attacks has been 30 times its normal rate. The team believes a single actor is behind the attacks based on the fact that the same payload is used in each attack.

The payload is a malicious JavaScript that redirects visitors and takes advantage of an administrator’s session to insert a Wordpress backdoor into the theme’s header.

An XSS attack while being used for a redirect here, can lead to more serious security issues.

“Attackers can use XSS vulnerabilities to gain privileged access to a website and plant malicious JavaScript code that can steal user data, spread malware or hijack users to nefarious sites. Such techniques have been used to launch Magecart attacks against thousands of e-commerce sites resulting in the theft of millions of credit card numbers,”

The scale of the attacks is staggering. Security experts at WP Hacked Help, A widely popular WordPress malware removal service, believe the malicious actor may have launched a few small-scale attacks before April 28, but has since massively increased the number of incidents with 20 million attacks attempted against more than 500,000 individual sites on May 3 alone.

WordPress plugins have been the focus of many attacks, but this campaign is by far the largest spotted.

“Over the course of the past month in total, we’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites,” the team reported.

What is Reflected Cross-Site Scripting(XSS)?

Cross-site scripting (XSS) or cross-site scripting is a script injection attack on a web application that accepts input but improperly separates data from executable code before returning that input to a user's browser.

As in any injection attack, XSS exploits the fact that browsers do not differentiate valid tags from those of the hacker and just execute what they receive.

The attack circumvents the rule of common origin, that security measures used by web programming languages ​​such as JavaScript and Angular. To put it simply, this rule is that all elements of a web page come from a single source.

When not enforced, a hacker can inject a script and modify the web page for their own purposes. For example, he can retrieve data that will be used to pass himself off as an authenticated user or introduce malicious code that the browser will then execute.

A number of security controls, when used together, reduce or even completely eliminate the threat of cross-site scripting:

Data input validation verifies that the user's input matches the expected format. For example, a browser script has no place in a phone number field. The content security policy restricts the scripts that can be executed or loaded on a web page.

The output encoding tells the browser that certain characters it will receive are to be treated as display text rather than executable code.

A standard web page contains many contexts, including the body HTML HTML attribute, script, and CSS stylesheet. Each of these output contexts relies on different character encodings to prevent the execution of the payload of a malicious script. Many web languages ​​and frameworks provide template engines that can automatically define the output context for variable data to be included in the final web page.

Validating entries against a blacklist, a technique used in particular by web application firewalls is not a reliable solution to prevent script injection attacks. By nature, blacklists are a security response formulated some posterior that depends on lists that are often obsolete and incomplete.

While outbound encoding and content security policies are the most effective solution to the problems posed by XSS attacks, they have their limitations: you must correctly define the output encoding for the expected output context and configure CSP policies. so as to make them as restrictive as possible.

For reflected XSS attacks to successfully exploit a user, an attacker must trick the user into taking an action. For this reason, we strongly recommend that you remain vigilant when clicking on any links or attachments in comments, emails, and other sources of communication, unless you are sure of their integrity and legitimacy.

Description: Reflected Cross-Site Scripting(XSS) Affected Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme

  • Plugin Slug: kingcomposer
  • Affected Versions: < 2.9.5
    • CVE ID: CVE-2020-15299
    • CVSS Score: 6.1(medium)
    • CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    • Fully Patched Version: 2.9.5

KingComposer is a WordPress plugin that allows drag and drop page creation, and it registers a number of AJAX actions to achieve this. One of these AJAX actions was no longer actively used by the plugin, but could still be used by sending a POST request to wp-admin / admin-ajax.php with the action parameter set to kc_install_online_preset.

public function install_online_preset(){

$data = isset($_POST['kc-online-preset-data']) ? esc_attr($_POST['kc-online-preset-data']) : '';
$link = isset($_POST['kc-online-preset-link']) ? esc_url($_POST['kc-online-preset-link']) : '';
$link = str_replace( 'http://features.kingcomposer.com/', 'https://kingcomposer.com/presets/', $link);
$callback = '
<script type="text/javascript">
    top.kc.cfg.preset_link = "'.$link.'";
    top.kc.backbone.push(\''.str_replace( "\n", '\'+"\n"+\'', base64_decode($data)).'\');

echo $callback;



This function renders JavaScript based on the content of the kc-online-preset-link and kc-online-preset-data parameters. Since it uses the esc_attr and esc_url functions, it looks safe at first glance. Unfortunately, however, the contents of the kc-online-preset-data parameter are base64 decoded after this step.

As such, if an attacker used base64 encoding on a malicious payload and caused a victim to send a request containing that payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim's browser.

The corrected version of this plugin solved the problem by removing the vulnerable function entirely.

The attacks are targeting five WordPress plugins — some of which have been discontinued but are still in use by certain site operators — with vulnerabilities that may have not yet been patched by users. These include an XSS vulnerability in Easy2Map, a plugin with only 3,000 installs, which was pulled from the WordPress repository in August 2019, but was the focus of about half of the current attacks. Also targeted was an option update vulnerability in the plugin Total Donations, which was removed from the Envato Marketplace in early 2019.

Blog Designer, which currently has only about 1,000 installs still active, had its XSS vulnerability patched in 2019 in Blog Designer which was patched in 2019.

The options update vulnerability in WP GDPR Compliance patched in late 2018 which would allow attackers to change the site’s home URL This plugin has 100,000 installs, but 95 percent have already received the updated. Finally, the XSS vulnerability in Newspaper which was patched in 2016 was included.

Disclosure Timeline

  • June 15, 2020 - Security experts team discovers unpatched vulnerability while investigating newly fixed vulnerabilities in KingComposer plugin. We publish a firewall rule covering both patched and unpatched vulnerabilities to our Premium users.
  • June 16, 2020 Contact with the developers of the KingComposer plugin.
    • June 25, 2020
  • Then contacted the WordPress Plugins team regarding the vulnerability. - June 26, 2020 - The WordPress Plugins team responds and indicates that they are in contact with the developers of the KingComposer plugin.
  • June 29, 2020 - The corrected version of KingComposer is released.
    • July 15, 2020 - The firewall rule becomes available to users.

Conclusion In today's blog post, we discussed a Reflected Cross-Site Scripting (XSS) vulnerability in the WordPress KingComposer plugin and provided general information on how Reflected XSS attacks work. This vulnerability has been completely fixed in version 2.9.5 and we strongly recommend that you update this version immediately.

Related Posts:

Share this