Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-0165

CVE-2022-0165: King-theme Kingcomposer CSRF Vulnerability

CVE-2022-0165 is a CSRF flaw in King-theme Kingcomposer WordPress plugin that allows attackers to exploit unvalidated redirects through AJAX actions. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2022-0165 Overview

CVE-2022-0165 is an open redirect vulnerability in the Page Builder KingComposer WordPress plugin through version 2.9.6. The plugin fails to validate the id parameter before redirecting users via the kc_get_thumbn AJAX action. This action is exposed to both authenticated and unauthenticated users, allowing attackers to craft URLs that redirect victims to attacker-controlled destinations. Open redirects facilitate phishing campaigns and credential theft by abusing the trusted domain of the vulnerable WordPress site. The flaw is tracked as CWE-601: URL Redirection to Untrusted Site.

Critical Impact

Attackers can abuse the vulnerable WordPress site as a trusted redirector to drive victims to phishing pages or malware delivery infrastructure.

Affected Products

  • King-theme KingComposer WordPress plugin versions up to and including 2.9.6
  • WordPress installations exposing the kc_get_thumbn AJAX endpoint
  • Sites running the plugin without authentication restrictions on AJAX actions

Discovery Timeline

  • 2022-03-14 - CVE-2022-0165 published to the National Vulnerability Database (NVD)
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-0165

Vulnerability Analysis

The Page Builder KingComposer plugin registers the kc_get_thumbn AJAX action through the WordPress admin-ajax.php handler. The plugin processes the id request parameter and issues an HTTP redirect to the supplied value. The handler does not verify that the destination belongs to the current host or to an approved allowlist. An attacker crafts a URL pointing to the WordPress site that includes a malicious id value referencing an external domain. When a victim clicks the link, the WordPress site responds with a redirect to the attacker-chosen URL. The attack succeeds without authentication because the AJAX action is wired to both the wp_ajax_ and wp_ajax_nopriv_ hooks.

Root Cause

The vulnerability stems from missing input validation on the id parameter before performing the redirect. The plugin trusts user-supplied data as a redirect target. WordPress provides the wp_safe_redirect() function, which enforces a host allowlist, but the plugin uses an unsafe redirect path instead.

Attack Vector

The attack requires network access to the WordPress site and user interaction. An attacker distributes a URL of the form https://victim-site.example/wp-admin/admin-ajax.php?action=kc_get_thumbn&id=<attacker_url> through email, social media, or messaging platforms. Victims see the legitimate WordPress domain in the link, click through, and land on the attacker's infrastructure. The scope change reflects that the user's browser session is moved from the trusted origin to an attacker-controlled origin. Refer to the WPScan Vulnerability Detail for technical specifics.

Detection Methods for CVE-2022-0165

Indicators of Compromise

  • HTTP requests to admin-ajax.php with the action=kc_get_thumbn parameter and an external URL in the id parameter
  • Web server access logs showing 30x responses originating from kc_get_thumbn requests
  • Spike in referrer traffic from the WordPress site to unfamiliar external domains

Detection Strategies

  • Inspect admin-ajax.php request parameters for fully qualified URLs in the id field that do not match the site's own host
  • Correlate user-agent strings and source IPs hitting kc_get_thumbn with known phishing infrastructure feeds
  • Alert on outbound redirects to recently registered or low-reputation domains via web application firewall (WAF) telemetry

Monitoring Recommendations

  • Forward WordPress and reverse proxy access logs to a centralized log platform for parameter-level analysis
  • Track the rate of redirect responses tied to plugin AJAX endpoints over time to baseline normal usage
  • Monitor threat intelligence feeds for phishing campaigns that abuse WordPress open redirect chains

How to Mitigate CVE-2022-0165

Immediate Actions Required

  • Inventory all WordPress sites for the Page Builder KingComposer plugin and identify versions at or below 2.9.6
  • Disable or uninstall the plugin where it is not actively required for site functionality
  • Block external URLs in the id parameter of kc_get_thumbn requests at the WAF or reverse proxy layer

Patch Information

No fixed version is referenced in the available advisory data. Site operators should consult the WPScan Vulnerability Detail and the plugin's WordPress.org page for the latest release status. If a patched version is unavailable, removal is the recommended path.

Workarounds

  • Deploy a WAF rule that rejects kc_get_thumbn requests where the id parameter contains http://, https://, or // sequences
  • Restrict access to admin-ajax.php actions exposed to unauthenticated users through IP allowlisting or authentication requirements
  • Replace KingComposer with an actively maintained page builder that validates redirect targets
bash
# Example ModSecurity rule blocking external redirect attempts
SecRule ARGS:action "@streq kc_get_thumbn" \
    "chain,phase:2,deny,status:403,id:1002201650,\
    msg:'Blocked KingComposer open redirect attempt (CVE-2022-0165)'"
    SecRule ARGS:id "@rx ^(https?:)?//" "t:lowercase"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne