CVE-2020-36709: 
WordPress vulnerability analysis and mitigation

The Page Builder: KingComposer plugin for WordPress (100,000+ active installations) was found to contain a Stored Cross-Site Scripting vulnerability in versions before 2.9.4. The vulnerability exists due to insufficient input sanitization and output escaping when handling shortcode parameters. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was discovered and disclosed in June 2020 (NinTechNet Blog).

The vulnerability stems from improper sanitization of shortcode attributes in the plugin's core files. Specifically, in the 'kingcomposer/shortcodes/kcrowinner.php' script, the $atts attribute isn't properly sanitized before being used in HTML output. This allows attackers to inject HTML events and JavaScript code through shortcode parameters. For example, an attacker could inject malicious code using the 'columnalign' parameter in the kcrow_inner shortcode (NinTechNet Blog).

The vulnerability allows authenticated attackers to inject and store malicious JavaScript code in pages created with the KingComposer plugin. When other users visit the affected pages, the injected scripts will execute in their browsers, potentially leading to session hijacking, credential theft, or other client-side attacks (NinTechNet Blog).

Users should immediately update to KingComposer version 2.9.4 or later which contains the fix for this vulnerability. The issue was patched on June 8th, 2020. Users of NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium) were protected against this vulnerability through their web application firewall (NinTechNet Blog).