RSS   Podatności dla 'Underconstruction'   RSS

2022-06-20
 
CVE-2022-1895

CWE-352
 

 
The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack

 
 
CVE-2022-1896

CWE-79
 

 
The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.

 
2021-09-01
 
CVE-2021-39320

CWE-79
 

 
The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.

 


Copyright 2024, cxsecurity.com

 

Back to Top