Home Cyber Security XSS flaw affecting 100,000+ WordPress sites patched by KingComposer

XSS flaw affecting 100,000+ WordPress sites patched by KingComposer

WordPress XSS flaw
WordPress XSS flaw

There is some good news amidst all this gloom in the cybersecurity world and the world in general which is that a major security flaw has been patched affecting security of WordPress websites. As per a report from earlier, there was an XSS flaw in the open which was affecting websites based on WordPress platform and already more than 100,000 websites were affected by it. Also, this flaw was unpatched so far and more sites were at risk of this flaw being exposed by other hackers.

The good news, however, is that KingComposer has now patched the XSS flaw that was affecting these WordPress sites and it means that your sites are now safe from this particular bug. The reason why this XSS flaw was dangerous was that it could execute malicious payloads on visitor browsers. As far as KingComposer is concerned, they are a “drag-and-drop page builder for WordPress-based domains that removes the need to program or directly code websites powered by the content management system (CMS)”.

WordFence security team found this flaw inside WordPress and listed it as critical on June 25. Also, it was due to the Ajax functions that were used for page builder features inside WordPress. Now that the flaw has been fixed, it will be safe to use page builders again on WordPress. Detailing the flaw, the researchers said that “As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser,”

One slight concern is that report shows that “62.1% of users have updated to version 2.9.5, and so 37.9% of websites with KingComposer enabled are still at risk of exploit” meaning two-third of the sites are now safe but one-third of them are still vulnerable.