Under Construction < 3.86 - Authenticated Stored Cross-Site Scripting (XSS)
Description
The Underconstruction plugin admin configuration is vulnerable to stored XSS issues which will be triggered in the main page of the site, even when the unfiltered_html is disabled. Edit (WPScanTeam) A fix was attempted in v3.80, but was insufficient. In the meantime, more fields were found to be affected and the vendor was contacted with a detailed report to fix them.
Proof of Concept
Log in as admin, go to the plugin's settings (/wp-admin/options-general.php?page=ucp, Content tab), set the below field to the given value, save them and view either the preview or put the site under construction and view it (not as admin as they are whitelisted by default), to trigger the payloads. v < 3.80 Headline: Sorry, we're doing some work on the site"/><script>alert(1337)</script> Facebook Page, Twitter/LinkedIn/YT Profile (and potentially all Social & Contact Icons fields): https://w/"/><script>alert(1337)</script> v < 3.86: Headline: "><img src onerror=alert(/XSS/)> Facebook Page, Twitter/LinkedIn/YT Profile (and potentially all Social & Contact Icons fields): https://w/" onfocus="alert(/XSS-Profile/)> (then click on the related icon in the frontend)
Affects Plugins
Fixed in version 3.86✓
Classification
Miscellaneous
Original Researcher
atmon3r
Submitter
atmon3r
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-01-20 (about 8 months ago)
Added
2021-01-20 (about 8 months ago)
Last Updated
2021-01-20 (about 8 months ago)