Lucene search
+L

44 matches found

CVE
CVE
added 2022/06/20 10:26 a.m.77 views

CVE-2022-1895

The CVE records a CSRF vulnerability in the WordPress underConstruction plugin, affecting versions before 1.20. The issue arises from missing CSRF protection when deactivating Construction mode, enabling a logged-in admin action via CSRF attack. Connected sources confirm affected software (WordPr...

4.3CVSS4.4AI score0.00412EPSS
Exploits2References1Affected Software1
Cvelist
Cvelist
added 2022/06/20 10:26 a.m.28 views

CVE-2022-1895 underConstruction < 1.20 - Construction Mode Deactivation via CSRF

The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack...

4.9AI score0.00412EPSS
Exploits2References1
CNNVD
CNNVD
added 2022/06/20 12:0 a.m.6 views

WordPress plugin underConstruction 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. The WordPress plugin is an application plugin. cross-site scripting vulnerability exists in versions of the WordPress underConstruction plugin...

4.8CVSS5.2AI score0.00565EPSS
Exploits2References2
CNNVD
CNNVD
added 2022/06/20 12:0 a.m.7 views

WordPress plugin underConstruction 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. Cross-site request forgery...

4.3CVSS5.7AI score0.00412EPSS
Exploits2References2
WPVulnDB
WPVulnDB
added 2022/05/26 12:0 a.m.15 views

underConstruction < 1.21 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletredhtml capability is disallowed. PoC In the plugin's settings, active Under Contraction...

4.8CVSS4.7AI score0.00565EPSS
Exploits2References1Affected Software1
wpexploit
wpexploit
added 2022/05/26 12:0 a.m.143 views

underConstruction < 1.21 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletredhtml capability is disallowed. In the plugin's settings, active Under Contraction...

4.8CVSS4.8AI score0.00565EPSS
Exploits2References1
Patchstack
Patchstack
added 2022/05/26 12:0 a.m.23 views

WordPress underConstruction plugin <= 1.20 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress underConstruction plugin versions = 1.20. Solution Update the WordPress underConstruction plugin to the latest available version at least 1.21...

4.8CVSS2.8AI score0.00565EPSS
Exploits2References3Affected Software1
Patchstack
Patchstack
added 2022/05/26 12:0 a.m.23 views

WordPress underConstruction plugin <= 1.19 - Construction Mode Deactivation via Cross-Site Request Forgery (CSRF) vulnerability

Construction Mode Deactivation via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress underConstruction plugin versions = 1.19. Solution Update the WordPress underConstruction plugin to the latest available version at least 1.20...

4.3CVSS5.1AI score0.00412EPSS
Exploits2References3Affected Software1
wpexploit
wpexploit
added 2022/05/26 12:0 a.m.134 views

underConstruction < 1.20 - Construction Mode Deactivation via CSRF

The plugin does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack...

4.3CVSS2.8AI score0.00412EPSS
Exploits2
Wordfence Blog
Wordfence Blog
added 2021/09/28 3:8 p.m.38 views

PHP_SELFish Part 1 – Reflected XSS in underConstruction Plugin

Today’s post is part one of a two part blog post. It describes a cross site scripting vulnerability that exploits the PHPSELF variable. Tomorrow we will publish part two, which describes another plugin suffering from a similar vulnerability related to the use of PHPSELF. So be sure to look out fo...

4.3CVSS6.7AI score0.02335EPSS
Exploits1
CNVD
CNVD
added 2021/09/03 12:0 a.m.17 views

WordPress underConstruction cross-site scripting vulnerability

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. The platform supports the erection of personal blog sites on PHP and MySQL servers. WordPress plugin is a WordPress open source application plugin. WordPress underConstruction plugin in version 1.18...

6.1CVSS1.6AI score0.02335EPSS
Exploits1References1
OSV
OSV
added 2021/09/01 3:15 p.m.8 views

CVE-2021-39320

The underConstruction plugin = 1.18 for WordPress echoes out the raw value of $GLOBALS'PHPSELF' in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the...

6.1CVSS6.4AI score0.02335EPSS
Exploits1References2
NVD
NVD
added 2021/09/01 3:15 p.m.11 views

CVE-2021-39320

The underConstruction plugin = 1.18 for WordPress echoes out the raw value of $GLOBALS'PHPSELF' in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the...

6.1CVSS0.02335EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2021/09/01 2:15 p.m.6 views

CVE-2021-39320 underConstruction <= 1.18 - Reflected Cross-Site Scripting

The underConstruction plugin = 1.18 for WordPress echoes out the raw value of $GLOBALS'PHPSELF' in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the...

6.1CVSS6.1AI score0.02335EPSS
Exploits1References2
CVE
CVE
added 2021/09/01 2:15 p.m.77 views

CVE-2021-39320

CVE-2021-39320 affects the WordPress Under Construction plugin (versions

6.1CVSS6AI score0.02335EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2021/09/01 2:15 p.m.21 views

CVE-2021-39320 underConstruction <= 1.18 - Reflected Cross-Site Scripting

The underConstruction plugin = 1.18 for WordPress echoes out the raw value of $GLOBALS'PHPSELF' in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the...

6.1CVSS6.2AI score0.02335EPSS
Exploits1References2
CNNVD
CNNVD
added 2021/09/01 12:0 a.m.5 views

WordPress 插件跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. The platform supports the erection of personal blog sites on PHP and MySQL servers. WordPress plugin is a WordPress open source application plugin. WordPress underConstruction plugin in version 1.18...

6.1CVSS5.4AI score0.02335EPSS
Exploits1References2
wpexploit
wpexploit
added 2021/08/31 12:0 a.m.182 views

underConstruction < 1.19 - Reflected Cross-Site Scripting

The plugin does not escape the PHPSELF before outputting it in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php/"alert/XSS//?page=under-construction...

6.1CVSS1AI score0.02335EPSS
Exploits1References2
Patchstack
Patchstack
added 2021/08/31 12:0 a.m.19 views

WordPress underConstruction plugin <= 1.18 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ram Gall WordFence in WordPress underConstruction plugin versions = 1.18. Solution Update the WordPress underConstruction plugin to the latest available version at least 1.19...

6.1CVSS2.1AI score0.02335EPSS
Exploits1References3Affected Software1
WPVulnDB
WPVulnDB
added 2021/08/31 12:0 a.m.15 views

underConstruction < 1.19 - Reflected Cross-Site Scripting

The plugin does not escape the PHPSELF before outputting it in an attribute, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/admin.php/"/?page=under-construction...

6.1CVSS0.9AI score0.02335EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder