The plugin does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.
In the plugin's settings, active Under Contraction feature, select "Display a custom page using your own HTML" then put the following payload in the "Under Construction Page HTML" field: <svg onload=alert(/XSS/)> The XSS will be triggered in the homepage (when viewed as non admin)
Asif Nawaz Minhas
Asif Nawaz Minhas
Yes
2022-05-26 (about 2 months ago)
2022-05-26 (about 2 months ago)
2022-08-02 (about 17 days ago)