CVE-2021-39320

MEDIUM NUCLEI

Underconstruction < 1.19 - XSS

Title source: rule

Description

The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.

Nuclei Templates (1)

WordPress Under Construction <1.19 - Cross-Site Scripting

MEDIUMVERIFIEDby dhiyaneshDK

References (2)

[Third Party Advisory] https://wpscan.com/vulnerability/49ae1df0-d6d2-4cbb-9a9d-bf3599429875

[Third Party Advisory] https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39320

Scores

CVSS v3 6.1

EPSS 0.1966

EPSS Percentile 95.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

underconstruction_project/underconstruction < 1.19

Published Sep 01, 2021

Tracked Since Feb 18, 2026