The Underconstruction plugin admin configuration is vulnerable to stored XSS issues which will be triggered in the main page of the site, even when the unfiltered_html is disabled. Edit (WPScanTeam) A fix was attempted in v3.80, but was insufficient. In the meantime, more fields were found to be affected and the vendor was contacted with a detailed report to fix them.
Log in as admin, go to the plugin's settings (/wp-admin/options-general.php?page=ucp, Content tab), set the below field to the given value, save them and view either the preview or put the site under construction and view it (not as admin as they are whitelisted by default), to trigger the payloads. v < 3.80 Headline: Sorry, we're doing some work on the site"/><script>alert(1337)</script> Facebook Page, Twitter/LinkedIn/YT Profile (and potentially all Social & Contact Icons fields): https://w/"/><script>alert(1337)</script> v < 3.86: Headline: "><img src onerror=alert(/XSS/)> Facebook Page, Twitter/LinkedIn/YT Profile (and potentially all Social & Contact Icons fields): https://w/" onfocus="alert(/XSS-Profile/)> (then click on the related icon in the frontend)
atmon3r
atmon3r
Yes
2021-01-20 (about 2 years ago)
2021-01-20 (about 2 years ago)
2021-01-20 (about 2 years ago)