CVE-2023-0831

Name of the Vulnerable Software and Affected Versions Under Construction plugin for WordPress versions up to and including 3.96

Description The issue arises from missing or incorrect nonce validation on the dismiss notice function, which is called via the admin action ucp dismiss notice action. This allows unauthenticated attackers to dismiss plugin notifications by tricking a site administrator into performing an action, such as clicking on a link, thereby facilitating a Cross-Site Request Forgery attack.

Recommendations For Under Construction plugin for WordPress versions up to and including 3.96, update to a version that includes proper nonce validation for the dismiss notice function to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the admin action ucp dismiss notice action to minimize the risk of exploitation.