CVE-2022-1896

CVE-2022-1896: underConstruction < 1.21 - Admin+ Stored Cross-Site Scripting

Vendor Unknown

Product underConstruction

Weakness CWE-79 · XSS

Published June 20, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.

Key dates

02Disclosure timeline

June 20, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-1896 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-24729 WordPress ElementInvader Addons for Elementor plugin <= 1.3.3 - Cross Site Scripting (XSS) vulnerability CVE-2026-1705 D-Link DSL-6641K Web ad_virtual_server_vdsl cross site scripting CVE-2023-5903 Cross-site Scripting (XSS) - Stored in pkp/pkp-lib CVE-2020-5286 Reflected XSS related in import page in PrestaShop CVE-2022-38073 WordPress Awesome Support plugin <= 6.0.7 - Multiple Authenticated Persistent XSS (Additional Interested Parties)