WordPress Plugin Vulnerabilities

Under Construction < 3.97 - Multiple CSRF

Description

The plugin does not properly validate nonces on the install_weglot and dismiss_notice functions, leading to a Cross-Site Request Forgery vulnerability.

Affects Plugins

Plugin icon
under-construction-page
Fixed in 3.97

References

CVE
CVE-2023-0832
CVE
CVE-2023-0831
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/under-construction-page/under-construction-396-cross-site-request-forgery-via-admin-action-install-weglot
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/under-construction-page/under-construction-396-cross-site-request-forgery-via-admin-action-ucp-dismiss-notice

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Ramuel Gall, Alex Thomas
Verified
No
WPVDB ID
6ca4c56a-dfa4-4731-afc8-c1e79630eabe

Timeline

Publicly Published
2023-02-10 (about 3 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-06-09 (about 2 years ago)

Other

Published
Title
Published
2023-02-28
Title
Responsive Vertical Icon Menu < 1.5.9 - Theme Deletion via CSRF
Published
2025-10-21
Title
PixelYourSite < 11.1.3 – GDPR Options Update via CSRF
Published
2024-11-23
Title
iPhone Webclip Manager <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-06-20
Title
Envira Photo Gallery < 1.8.8 - Cross-Site Request Forgery to Notice Dismissal
Published
2021-09-20
Title
Scroll Baner <= 1.0 - CSRF to RCE