Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Underconstruction Project Subscribe
Total 4 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-1896 1 Underconstruction Project 1 Underconstruction 2022-06-28 3.5 LOW 4.8 MEDIUM
The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.
CVE-2022-1895 1 Underconstruction Project 1 Underconstruction 2022-06-28 4.3 MEDIUM 4.3 MEDIUM
The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack
CVE-2021-39320 1 Underconstruction Project 1 Underconstruction 2021-09-08 4.3 MEDIUM 6.1 MEDIUM
The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.
CVE-2013-2699 1 Underconstruction Project 1 Underconstruction 2021-09-02 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the underConstruction plugin before 1.09 for WordPress allows remote attackers to hijack the authentication of administrators for requests that deactivate a plugin via unspecified vectors.