4 matches found
CVE-2022-0165
Summary: WordPress Page Builder KingComposer plugin (versions ≤ 2.9.6) has an open redirect caused by a lack of validation of the id parameter in the kc_get_thumbn AJAX action, which is accessible to both unauthenticated and authenticated users. Impact: attackers can redirect users to malicious s...
CVE-2021-25048
The CVE-2021-25048 entry concerns the WordPress KingComposer plugin (versions up to 2.9.6). The vulnerability is a stored cross-site scripting (XSS) flaw resulting from missing authorization checks, CSRF protection, and input sanitisation when creating profiles, allowing any authenticated user to...
CVE-2020-15299
The CVE-2020-15299 entry is a real XSS flaw in the WordPress KingComposer plugin, affecting versions up to 2.9.4. The vulnerability allows remote attackers to lure a user into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (kc-online-preset-data) that is exe...
CVE-2019-9910
The CVE-2019-9910 entry concerns the WordPress KingComposer plugin, version 2.7.6, which is affected by a cross-site scripting (XSS) vulnerability via the wp-admin/admin.php?page=kc-mapper id parameter. Multiple connected sources corroborate the vulnerability in KingComposer 2.7.6 and describe it...