PT-2021-22530 · WordPress+1 · Underconstruction+2

Published

2021-09-01

Updated

2021-09-08

CVE-2021-39320

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: underConstruction plugin versions <= 1.18 for WordPress

Description: The issue allows for a reflected Cross-Site Scripting attack by injecting malicious code in the request path on certain configurations, including Apache+modPHP. This is possible because the plugin echoes out the raw value of PHP SELF in the ucOptions.php file.

Recommendations: For underConstruction plugin versions <= 1.18, consider disabling the plugin until a patch is available to prevent exploitation. Restrict access to the ucOptions.php file to minimize the risk of reflected Cross-Site Scripting attacks. Avoid using the plugin on configurations that include Apache+modPHP to reduce the risk of malicious code injection.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-39320

Affected Products

Apache

Mod Php

Underconstruction

PT-2021-22530 · WordPress+1 · Underconstruction+2

CVE-2021-39320

Weakness Enumeration

Related Identifiers

Affected Products

References · 5