Vulnerabilities > Underconstruction Project > Underconstruction > 1.01
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-06-20 | CVE-2022-1895 | Cross-Site Request Forgery (CSRF) vulnerability in Underconstruction Project Underconstruction The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack | 4.3 |
| 2022-06-20 | CVE-2022-1896 | Cross-site Scripting vulnerability in Underconstruction Project Underconstruction The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed. | 3.5 |
| 2021-09-01 | CVE-2021-39320 | Cross-site Scripting vulnerability in Underconstruction Project Underconstruction The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. | 4.3 |
| 2014-04-10 | CVE-2013-2699 | Cross-Site Request Forgery (CSRF) vulnerability in Underconstruction Project Underconstruction Cross-site request forgery (CSRF) vulnerability in the underConstruction plugin before 1.09 for WordPress allows remote attackers to hijack the authentication of administrators for requests that deactivate a plugin via unspecified vectors. | 6.8 |