A reflected cross-site scripting (XSS) vulnerability impacting 100,000 websites has been patched in the KingComposer WordPress plugin. A patched version of the plugin, version 2.9.5, was released on June 29. While approximately 62% of users have updated to version 2.9.5, around 38% of websites with KingComposer enabled are still at risk of exploit.
XSS vulnerabilities still plague us even though XSS was first found in the year 2000 — we’re now in the 20th anniversary of its discovery. By 2007, XSS had become the most common exploit of web applications. Unfortunately, today XSS is still one of the most attacked vulnerabilities and ranks as one of the OWASP top 10 web application security risks.
To prevent XSS attacks, developers should implement good coding practices when writing and creating a web application. But while that’s a great start to application security, there’s of course no guarantee that testing and good code writing will catch all the XSS vulnerabilities in the application code. Every organization still needs a layer of application security and protection for those undiscovered XSS vulnerabilities.