cbcvebase.

Underconstruction Project Underconstruction vulnerabilities

4 known vulnerabilities affecting underconstruction_project/underconstruction.

Total CVEs
4
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2021-39320P3MEDIUMCVSS 6.1PoCfixed in 1.192021-09-01
CVE-2021-39320 [MEDIUM] CWE-79 CVE-2021-39320: The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF'] The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.
nvd
CVE-2013-2699P4MEDIUMCVSS 6.8≤ 1.08v1.0+7 more2014-04-10
CVE-2013-2699 [MEDIUM] CWE-352 CVE-2013-2699: Cross-site request forgery (CSRF) vulnerability in the underConstruction plugin before 1.09 for Word Cross-site request forgery (CSRF) vulnerability in the underConstruction plugin before 1.09 for WordPress allows remote attackers to hijack the authentication of administrators for requests that deactivate a plugin via unspecified vectors.
nvd
CVE-2022-1896P4MEDIUMCVSS 4.8fixed in 1.212022-06-20
CVE-2022-1896 [MEDIUM] CWE-79 CVE-2022-1896: The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.
nvd
CVE-2022-1895P4MEDIUMCVSS 4.3fixed in 1.202022-06-20
CVE-2022-1895 [MEDIUM] CWE-352 CVE-2022-1895: The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivati The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack
nvd
Underconstruction Project Underconstruction vulnerabilities | cvebase