CVE-2022-0165 Overview
CVE-2022-0165 is an Open Redirect vulnerability affecting the Page Builder KingComposer WordPress plugin through version 2.9.6. The vulnerability exists because the plugin does not properly validate the id parameter before redirecting users via the kc_get_thumbn AJAX action. This action is accessible to both unauthenticated and authenticated users, significantly expanding the attack surface.
Critical Impact
Attackers can craft malicious URLs that redirect unsuspecting users to phishing sites or malware distribution points, leveraging the trust of the legitimate WordPress domain.
Affected Products
- King-theme KingComposer WordPress plugin through version 2.9.6
- WordPress installations using the vulnerable KingComposer page builder
- Any website utilizing the affected AJAX endpoint kc_get_thumbn
Discovery Timeline
- 2022-03-14 - CVE-2022-0165 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0165
Vulnerability Analysis
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site, commonly known as Open Redirect). The KingComposer plugin implements an AJAX handler for the kc_get_thumbn action that accepts an id parameter used to construct a redirect URL. The critical flaw is the absence of proper validation or sanitization of this parameter before executing the redirect operation.
The vulnerability is particularly concerning because the AJAX endpoint is accessible without authentication, meaning any visitor to a site running the vulnerable plugin can be targeted. Attackers can exploit this by crafting URLs that appear to originate from a trusted WordPress domain but actually redirect victims to malicious external sites.
Root Cause
The root cause of CVE-2022-0165 is insufficient input validation in the kc_get_thumbn AJAX action handler. The plugin fails to implement proper URL validation, allowlist checking, or sanitization of the redirect target. This allows arbitrary external URLs to be passed through the id parameter, enabling attackers to redirect users to any destination of their choosing while the initial request appears legitimate.
Attack Vector
This vulnerability is exploitable over the network and requires user interaction (clicking a malicious link). An attacker would craft a specially formatted URL targeting a WordPress site running the vulnerable KingComposer plugin. When a victim clicks the link, they would initially connect to the legitimate WordPress site, which would then redirect them to an attacker-controlled destination. This technique is commonly used in:
- Phishing campaigns: Attackers can redirect users to fake login pages designed to steal credentials
- Malware distribution: Victims can be redirected to sites hosting drive-by downloads
- Reputation attacks: The legitimate domain's reputation can be leveraged to bypass email filters and security tools
The attack can bypass URL filtering mechanisms that trust the legitimate WordPress domain, as the initial request appears to go to a trusted site.
Detection Methods for CVE-2022-0165
Indicators of Compromise
- Unusual AJAX requests to admin-ajax.php with action parameter set to kc_get_thumbn
- HTTP requests containing external domain URLs in the id parameter
- Increased redirect responses (HTTP 302/301) from the WordPress AJAX endpoint
- User reports of being redirected to unexpected external sites after clicking internal links
Detection Strategies
- Monitor web server access logs for requests to admin-ajax.php containing action=kc_get_thumbn with suspicious id parameters
- Implement Web Application Firewall (WAF) rules to detect and block open redirect patterns in AJAX requests
- Use URL pattern matching to identify requests attempting to redirect to external domains
- Deploy SentinelOne Singularity for real-time detection of malicious redirect chains and suspicious web traffic patterns
Monitoring Recommendations
- Enable detailed logging for WordPress AJAX actions, particularly the kc_get_thumbn endpoint
- Configure alerting for abnormal volumes of redirect responses from the WordPress installation
- Implement content security policies to restrict allowed redirect destinations
- Regularly audit installed WordPress plugins for known vulnerabilities using security scanning tools
How to Mitigate CVE-2022-0165
Immediate Actions Required
- Update the KingComposer plugin to the latest version that addresses this vulnerability
- If an update is not immediately available, consider temporarily disabling the KingComposer plugin
- Review access logs for any evidence of exploitation attempts
- Implement WAF rules to block malicious redirect attempts targeting the vulnerable endpoint
Patch Information
Organizations should check for updated versions of the KingComposer plugin that address this open redirect vulnerability. For detailed vulnerability information, refer to the WPScan Vulnerability Report. Verify that any patches applied successfully remediate the lack of input validation in the kc_get_thumbn AJAX handler.
Workarounds
- Implement server-side URL validation to restrict redirects to trusted domains only
- Use a Web Application Firewall to block requests with external URLs in the id parameter
- Temporarily disable AJAX functionality for the kc_get_thumbn action if the plugin cannot be updated
- Consider using alternative page builder plugins that have been audited for security vulnerabilities
# WordPress .htaccess rule to block suspicious kc_get_thumbn requests
# Add to your WordPress .htaccess file
RewriteEngine On
RewriteCond %{QUERY_STRING} action=kc_get_thumbn [NC]
RewriteCond %{QUERY_STRING} id=https?:// [NC]
RewriteRule .* - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
