PT-2019-19928 · WordPress · Kingcomposer

Tim Coen

Published

2019-03-21

Updated

2019-03-25

CVE-2019-9910

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions kingcomposer plugin version 2.7.6

Description The issue affects the kingcomposer plugin for WordPress, where an XSS vulnerability is present in the wp-admin/admin.php?page=kc-mapper endpoint, specifically with the id parameter.

Recommendations For kingcomposer plugin version 2.7.6, consider disabling access to the wp-admin/admin.php?page=kc-mapper endpoint until a patch is available, or avoid using the id parameter in this endpoint to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-9910

Affected Products

Kingcomposer

PT-2019-19928 · WordPress · Kingcomposer

CVE-2019-9910

Weakness Enumeration

Related Identifiers

Affected Products

References · 5