CVE-2022-1895
- EPSS 0.11%
- Veröffentlicht 20.06.2022 11:15:10
- Zuletzt bearbeitet 21.11.2024 06:41:42
The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack
CVE-2022-1896
- EPSS 0.21%
- Veröffentlicht 20.06.2022 11:15:10
- Zuletzt bearbeitet 21.11.2024 06:41:42
The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletre...
CVE-2021-39320
- EPSS 19.66%
- Veröffentlicht 01.09.2021 15:15:12
- Zuletzt bearbeitet 21.11.2024 06:19:14
The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scr...
CVE-2013-2699
- EPSS 0.18%
- Veröffentlicht 10.04.2014 20:29:20
- Zuletzt bearbeitet 12.04.2025 10:46:40
Cross-site request forgery (CSRF) vulnerability in the underConstruction plugin before 1.09 for WordPress allows remote attackers to hijack the authentication of administrators for requests that deactivate a plugin via unspecified vectors.