CVE-2020-15299

Name of the Vulnerable Software and Affected Versions KingComposer plugin versions through 2.9.4 for WordPress

Description A reflected Cross-Site Scripting issue allows remote attackers to trick a victim into submitting an install online preset AJAX request containing base64-encoded JavaScript, executed in the victim's browser. The kc-online-preset-data POST parameter is used to inject malicious JavaScript.

Recommendations For KingComposer plugin versions through 2.9.4, consider disabling the install online preset AJAX request functionality until a patch is available. Restrict access to the kc-online-preset-data parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.