Cross-Site Request Forgery Vulnerability in Under Construction Plugin for WordPress
CVE-2023-0832

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Under Construction
Vendor: CVE Published:; 9 June 2023

Summary

The Under Construction plugin for WordPress is susceptible to Cross-Site Request Forgery due to inadequate nonce validation in the install_weglot function. This vulnerability enables unauthorized users to mistakenly install the Weglot Translate plugin by tricking an authenticated site administrator into executing a malicious action, such as clicking an infected link. Users of versions up to and including 3.96 of the plugin should take appropriate measures to secure their sites.

Affected Version(s)

Under Construction * <= 3.96

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/under-construc...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jun 9, 2023
Vulnerability Reserved
Feb 14, 2023

Credit

Ramuel Gall

Alex Thomas