Page Builder KingComposer <= 2.9.6 – Open Redirect

Hi:

I think that it should be validated if the $id parameter inside the get_thumbn() function on “wp-content/plugins/kingcomposer/includes/kc.ajax.php” file stores an external url and empty it in that case.

But I’m not an expert, it would be the ideal if the plugin’s author reappeared.

Kind regards.

I understand, but it seems like the developers are ghosts… Maybe we can get a clone and put the plugin on a public git, and a community can give the continuous project. I’m open to help, my strong is front office (HTML, CSS and some JavaScript). My formation is UI/UX / Web Designer.

Don’t let die, this fabulous plugin. What you think about it?

Best regards

I already put the plugin in a git repository:

https://bitbucket.org/lightnoise/kingcomposer/src/master/

Who would like to participate?

Thanks

I have made a commit with a fast proposal by a friend (novadir.com). No guarantee, you see . Test if works for you. Remember replace $domain var with yours.

I hope it will help.

I will test, thanks

Is ok, i only change the “mydomain” to $_SERVER[‘HTTP_HOST’]

Works, without edit the file every time is installed on another domain.

Cool

Give my thanks to your friend (Novadir)

• This reply was modified 2 years, 8 months ago by lpalmeida.
• This reply was modified 2 years, 8 months ago by lpalmeida.

Should I release this fix to the public? What you think about? New version like (2.9.6.1), hope we can make a great community and move forward

According to my friend, perhaps it would be safer if you use home_url WordPress function and parse the url instead of php superglobal var (see https://stackoverflow.com/a/50301646).

He doesn’t provide any guarantee, it was a favour, so you can do what you see fit.

We are glad it works for you. If it helps anyone else, his PYPL is novadir at gmail.com.

Best regards.

Thanks in advance, I follow your instructions, and worked like a charm.

If you need me for anything, don’t hesitate to drop a line

Luís Almeida