underConstruction <= 1.18 - Reflected Cross-Site Scripting
CVE-2021-39320

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Underconstruction
Vendor: CVE Published:; 1 September 2021

Summary

The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of $GLOBALS['PHP_SELF'] in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.

Affected Version(s)

underConstruction 1.18

References

https://wpscan.com/vulnerability/49ae1df0-d6d2-4cbb-9a9d-...

x_refsource_MISC

https://www.wordfence.com/vulnerability-advisories/#CVE-2...

x_refsource_MISC

EPSS Score

12% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 1, 2021
Vulnerability Reserved
Aug 20, 2021

Credit

Ramuel Gall, Wordfence