VYPR

Underconstruction

by WordPress

CVEs (5)

  • CVE-2021-39320MedSep 1, 2021
    risk 0.40cvss 6.1epss 0.02

    The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting…

  • CVE-2024-30548MedMar 31, 2024
    risk 0.38cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Noah Kagan underConstruction allows Stored XSS.This issue affects underConstruction: from n/a through 1.21.

  • CVE-2022-1896MedJun 20, 2022
    risk 0.31cvss 4.8epss 0.01

    The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is…

  • CVE-2022-1895MedJun 20, 2022
    risk 0.28cvss 4.3epss 0.00

    The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack

  • CVE-2013-2699Apr 10, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the underConstruction plugin before 1.09 for WordPress allows remote attackers to hijack the authentication of administrators for requests that deactivate a plugin via unspecified vectors.