Skip to content
Nuclei Templates

WordPress Page Builder KingComposer <=2.9.6 - Open Redirect

ID: CVE-2022-0165

Severity: medium

Author: akincibor

Tags: cve,cve2022,wp-plugin,redirect,wordpress,wp,wpscan,king-theme

Description

Section titled “Description”

WordPress Page Builder KingComposer 2.9.6 and prior does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action (which is available to both unauthenticated and authenticated users).

YAML Source

Section titled “YAML Source”
id: CVE-2022-0165


info:
  name: WordPress Page Builder KingComposer <=2.9.6 - Open Redirect
  author: akincibor
  severity: medium
  description: WordPress Page Builder KingComposer 2.9.6 and prior does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action (which is available to both unauthenticated and authenticated users).
  impact: |
    An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the execution of further attacks.
  remediation: |
    Update to the latest version of KingComposer (>=2.9.7) to fix the open redirect vulnerability.
  reference:
    - https://wpscan.com/vulnerability/906d0c31-370e-46b4-af1f-e52fbddd00cb
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0165
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/K3ysTr0K3R/CVE-2022-0165-EXPLOIT
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-0165
    cwe-id: CWE-601
    epss-score: 0.001
    epss-percentile: 0.40148
    cpe: cpe:2.3:a:king-theme:kingcomposer:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 1
    vendor: king-theme
    product: kingcomposer
    framework: wordpress
  tags: cve,cve2022,wp-plugin,redirect,wordpress,wp,wpscan,king-theme


http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-admin/admin-ajax.php?action=kc_get_thumbn&id=https://interact.sh"


    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
# digest: 4a0a0047304502205c350af8fcba0919d9efeb3f121949c836eba8cee5095c05269269f3498bcc83022100d599bc83e51993983c5983385cbe0ecb80041572b9e1eabd7084ab2535becfe9:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-0165.yaml"

View on Github