WordPress Plugin Vulnerabilities

Under Construction < 3.86 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The Underconstruction plugin admin configuration is vulnerable to stored XSS issues which will be triggered in the main page of the site, even when the unfiltered_html is disabled.

Edit (WPScanTeam)
A fix was attempted in v3.80, but was insufficient. In the meantime, more fields were found to be affected and the vendor was contacted with a detailed report to fix them.

Proof of Concept

Affects Plugins

Plugin icon
under-construction-page
Fixed in 3.86

References

URL
https://plugins.trac.wordpress.org/changeset/2326120
URL
https://plugins.trac.wordpress.org/changeset/2459690

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
atmon3r
Submitter
atmon3r
Submitter website
https://atmon3r.fr
Submitter twitter
atmon3r
Verified
Yes
WPVDB ID
2ec65510-5e4a-4af5-af58-3b0ca1b56c8d

Timeline

Publicly Published
2021-01-20 (about 5 years ago)
Added
2021-01-20 (about 5 years ago)
Last Updated
2021-01-20 (about 5 years ago)

Other

Published
Title
Published
2024-11-14
Title
IP Based Login < 2.4.1 - Admin+ Stored XSS
Published
2024-03-19
Title
GamiPress – Button < 1.0.8 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-01-03
Title
OZ Canonical <= 0.5 - Reflected Cross-Site Scripting
Published
2023-11-06
Title
Bitly's < 2.7.2 - Contributor+ Stored XSS
Published
2019-06-28
Title
Watu Quizz < 3.1.2.6 - Reflected XSS via question-form.html.php