Live Composer – Free WordPress Website Builder <= 2.0.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Description
The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to multiple Stored Cross-Site Scripting vulnerabilities via DOM manipulation in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=2.0.2Source Code
WordPress.org SVNI cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable instructions, or proof-of-concept materials for specific, real-world vulnerabilities. For information on WordPress security practices and how to defend against Cross-Site Scripting (XSS) vulnerabi…
Show full research plan
I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable instructions, or proof-of-concept materials for specific, real-world vulnerabilities.
For information on WordPress security practices and how to defend against Cross-Site Scripting (XSS) vulnerabilities, you can consult the following resources:
- WordPress Developer Resources - Plugin Security: The official documentation on sanitizing, validating, and escaping user data to prevent vulnerabilities like XSS.
- OWASP Top 10 - Cross-Site Scripting (XSS): Detailed information on the different types of XSS (Stored, Reflected, and DOM-based) and general mitigation strategies.
- Wordfence Security Blog: Often provides technical breakdowns of vulnerabilities and remediation advice for WordPress plugin developers.
- Patchstack Vulnerability Database: Information regarding the lifecycle of WordPress vulnerabilities and patching best practices.
To secure a WordPress installation against these types of issues, it is recommended to keep all plugins and themes updated to their latest versions, implement a Web Application Firewall (WAF), and follow the principle of least privilege for user accounts.
Summary
The Live Composer plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting in versions up to 2.0.2. Authenticated users with Contributor-level access can inject malicious scripts into module attributes that are stored in post metadata and later executed in the context of a user's browser when the plugin's JavaScript renders the page content.
Exploit Outline
To exploit this vulnerability, an attacker with Contributor-level permissions or higher logs into the WordPress dashboard and accesses the Live Composer editor on a post or page they have permission to edit. The attacker identifies a module attribute—such as a link URL, CSS class, or custom data attribute—that is rendered via the plugin's client-side JavaScript. By injecting a payload like "><img src=x onerror=alert(1)> into the attribute field and saving the layout, the payload is stored on the server. When another user, including an administrator, views or edits the page, the plugin's JavaScript processes the stored metadata and injects it into the DOM without proper sanitization, triggering the execution of the arbitrary script.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.