GCVE - cpe:2.3:a:webfactory:under_construction:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:webfactory:under_construction:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Webfactory (`8800e04e-408e-5a5a-8de6-12fac17ad5b3`)
Product	Under Construction (`1d83d985-bf6c-50d3-afb8-b9060a9a0ba1`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2023-0832`	vulnerable	2026-06-03 14:48:52.945173	Under Construction <= 3.96 - Cross-Site Request Forgery via admin_action_install_weglot MEDIUM (4.3) The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the install_weglot function called via the admin_action_install_weglot action. This makes it possible for unauthenticated attackers to perform an unauthorized install of the Weglot Translate plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: 2023-06-09T05:33:17.341Z Updated: 2026-04-08T16:52:07.793Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/4fa84388-3597-4a54-9ae8-d6e04afe9061?source=cve https://plugins.trac.wordpress.org/browser/under-construction-page/trunk/under-construction.php?rev=2848705#L2389	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-0831`	vulnerable	2026-06-03 14:48:52.943200	Under Construction <= 3.96 - Cross-Site Request Forgery via admin_action_ucp_dismiss_notice MEDIUM (4.3) The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the dismiss_notice function called via the admin_action_ucp_dismiss_notice action. This makes it possible for unauthenticated attackers to dismiss plugin notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: 2023-06-09T05:33:09.916Z Updated: 2026-04-08T16:32:48.697Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/031a1203-6b0d-453b-be8a-12e7f55cb401?source=cve https://plugins.trac.wordpress.org/browser/under-construction-page/trunk/under-construction.php?rev=2848705#L901	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.