CVE-2021-39320
MEDIUM NUCLEIunderConstruction < 1.19 - Reflected Cross-Site Scripting via PHP_SELF in ucOptions.php
Title source: llmExploitation Summary
CVE-2021-39320 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.
Nuclei Templates (1)
WordPress Under Construction <1.19 - Cross-Site Scripting
MEDIUMVERIFIEDby dhiyaneshDK
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/49ae1df0-d6d2-4cbb-9a9d-bf3599429875
Third Party Advisory x_refsource_misc
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39320
Scores
CVSS v3
6.1
EPSS
0.0221
EPSS Percentile
80.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
underconstruction_project/underconstruction
< 1.19
Published
Sep 01, 2021
Tracked Since
Feb 18, 2026