Vulnerability Details CVE-2022-1896
The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 41.9%
CVSS Severity
CVSS v3 Score 4.8
CVSS v2 Score 3.5
References
Products affected by CVE-2022-1896
-
cpe:2.3:a:underconstruction_project:underconstruction:-
-
cpe:2.3:a:underconstruction_project:underconstruction:1.0
-
cpe:2.3:a:underconstruction_project:underconstruction:1.01
-
cpe:2.3:a:underconstruction_project:underconstruction:1.02
-
cpe:2.3:a:underconstruction_project:underconstruction:1.03
-
cpe:2.3:a:underconstruction_project:underconstruction:1.04
-
cpe:2.3:a:underconstruction_project:underconstruction:1.05
-
cpe:2.3:a:underconstruction_project:underconstruction:1.06
-
cpe:2.3:a:underconstruction_project:underconstruction:1.07
-
cpe:2.3:a:underconstruction_project:underconstruction:1.08
-
cpe:2.3:a:underconstruction_project:underconstruction:1.09
-
cpe:2.3:a:underconstruction_project:underconstruction:1.10
-
cpe:2.3:a:underconstruction_project:underconstruction:1.11
-
cpe:2.3:a:underconstruction_project:underconstruction:1.12
-
cpe:2.3:a:underconstruction_project:underconstruction:1.13
-
cpe:2.3:a:underconstruction_project:underconstruction:1.14
-
cpe:2.3:a:underconstruction_project:underconstruction:1.15
-
cpe:2.3:a:underconstruction_project:underconstruction:1.17
-
cpe:2.3:a:underconstruction_project:underconstruction:1.18
-
cpe:2.3:a:underconstruction_project:underconstruction:1.19