Today’s post is part one of a two part blog post. It describes a cross site scripting vulnerability that exploits the PHP_SELF variable. Tomorrow we will publish part two, which describes another plugin suffering from a similar vulnerability related to the use of PHP_SELF. So be sure to look out for that post via our mailing list, which you can join on this page, in case you’re not already a member.
On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in underConstruction, a WordPress plugin with over 80,000 installations.
After 2 weeks without a response, we forwarded the issue to the WordPress plugins team on August 30, 2021. A patched version, 1.19, was released the next day, on August 31, 2021.
A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.
If you aren’t running Wordfence, and are a user of this plugin, we recommend you immediately upgrade to version 1.19 of underConstruction which contains the patch.
Description: Reflected Cross-Site Scripting
Affected Plugin: underConstruction
Plugin Slug: underconstruction