Underconstruction Project: >> Underconstruction >> 1.12 Security Vulnerabilities
The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack
CVSS Score
4.3
EPSS Score
0.001
Published
2022-06-20
The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.
CVSS Score
4.8
EPSS Score
0.002
Published
2022-06-20
The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.
CVSS Score
6.1
EPSS Score
0.139
Published
2021-09-01