WordPress Plugin Vulnerabilities

underConstruction < 1.19 - Reflected Cross-Site Scripting

Description

The plugin does not escape the PHP_SELF before outputting it in an attribute, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
underconstruction
Fixed in 1.19

References

CVE
CVE-2021-39320
URL
https://www.wordfence.com/blog/2021/09/reflected-xss-in-underconstruction-plugin/
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39320

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Ram Gall (Wordfence)
Verified
Yes
WPVDB ID
49ae1df0-d6d2-4cbb-9a9d-bf3599429875

Timeline

Publicly Published
2021-08-31 (about 4 years ago)
Added
2021-08-31 (about 4 years ago)
Last Updated
2023-01-28 (about 2 years ago)

Other

Published
Title
Published
2015-08-10
Title
WP Statistics <= 9.5.1 - Referer Cross-Site Scripting (XSS)
Published
2023-10-02
Title
WP Responsive header image slider <= 3.2.1 - Contributor+ Stored XSS
Published
2024-06-04
Title
GP Premium < 2.4.1 - Reflected Cross-Site Scripting
Published
2024-12-13
Title
Buk for WordPress < 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-05-16
Title
Jupiterx Core < 4.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Inline SVG