According to NinTechNet experts, developers of Visual Composer, a WordPress plugin with more than 80,000 currently active installations, announced the remediation of multiple vulnerabilities that would allow cross-site scripting (XSS) attacks to be deployed and firewall bypassed. Experts in a cyber security course mention that the flaws were in versions 25.0 and later, although they could also be found in some implementations of version 26.0.
Like the third tab (System Status), it is loaded by calling the addSubmenuPage method from the script shown below:
According to the experts in the cyber security course, then an optional user capability is expected as an argument. If it doesn’t occur, users who can edit posts will be restricted to default access, a capability available to low-privileged users, such as taxpayers. When you call addSubmenuPage to configure the tab, the addPage method in the script “visualcomposer/visualcomposer/Modules/Settings/Pages/CssJsSettings.php” does not pass a capability:
Bypass the firewall
When users save a post, the payload sent by Visual Composer is heavily obfuscated, so you can bypass the web application firewall and security plugins. The following is an example of the small payload used in the image above and sent via the VCv-admin-ajax AJAX action:
It is JSON-encoded, compressed into ZLIB and eventually encoded based 64.La decoding occurs in the parseRequest method of the following script:
For security, users are recommended to upgrade to the latest version of Visual Composer, as well as verify their firewall settings. For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.