Security Advisory

CVE-2021-39320

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2021-09-01 14:15:35

Last updated 2025-05-05 14:50:43

Assigner Wordfence

State PUBLISHED

Description

The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS[PHP_SELF]` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.

← Browse all CVEs View on cve.org ↗