2021-09-01 14:15:35
Wordfence
PUBLISHED
The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS[PHP_SELF]` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.