CVE-2021-25048: 
WordPress vulnerability analysis and mitigation

The KingComposer WordPress plugin through version 2.9.6 contains a security vulnerability identified as CVE-2021-25048. The vulnerability was discovered by Krzysztof Zając and was publicly disclosed on March 14, 2022. This security issue affects the profile creation functionality in the KingComposer WordPress plugin, where insufficient security controls allow authenticated users to create arbitrary profiles with malicious content (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 5.4 (Medium). The technical root cause stems from three main security control failures: lack of proper authorization, missing CSRF protection, and inadequate sanitization/escaping during profile creation. The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, WPScan).

When exploited, this vulnerability allows authenticated users to inject malicious JavaScript code into profiles, which can then be executed in other users' browsers when viewing the affected profiles. This could lead to theft of sensitive information, session hijacking, or other client-side attacks against WordPress administrators and users (WPScan).

As of the latest available information, there is no known fix for this vulnerability in the KingComposer plugin. Website administrators using affected versions (2.9.6 and below) should consider either removing the plugin or implementing additional security controls at the web application firewall level to filter malicious inputs (WPScan).