Medium severity6.1NVD Advisory· Published Sep 1, 2021· Updated Jun 17, 2026
CVE-2021-39320
CVE-2021-39320
Description
The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of $GLOBALS['PHP_SELF'] in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.18
- Noah Kagan/underConstructionv5Range: 1.18
Patches
Vulnerability mechanics
References
2- wpscan.com/vulnerability/49ae1df0-d6d2-4cbb-9a9d-bf3599429875nvdThird Party Advisory
- www.wordfence.com/vulnerability-advisories/nvdThird Party Advisory
News mentions
0No linked articles in our index yet.