GCVE - cpe:2.3:a:webfactoryltd:under_construction:*:*:*:*:*:wordpress:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:webfactoryltd:under_construction:*:*:*:*:*:wordpress:*:*

part: a version: * update: *

Vendor	Webfactoryltd (`42e366d7-a42e-568c-8deb-d59744fb0f59`)
Product	Under Construction (`3591b040-1fe7-5610-9112-cb7e8428d0b6`)
Edition	*
Language	*
Software edition	*
Target software	wordpress
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2023-0832`	vulnerable	2026-06-03 14:48:52.945215	Under Construction <= 3.96 - Cross-Site Request Forgery via admin_action_install_weglot MEDIUM (4.3) The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the install_weglot function called via the admin_action_install_weglot action. This makes it possible for unauthenticated attackers to perform an unauthorized install of the Weglot Translate plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: 2023-06-09T05:33:17.341Z Updated: 2026-04-08T16:52:07.793Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/4fa84388-3597-4a54-9ae8-d6e04afe9061?source=cve https://plugins.trac.wordpress.org/browser/under-construction-page/trunk/under-construction.php?rev=2848705#L2389	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-0831`	vulnerable	2026-06-03 14:48:52.944769	Under Construction <= 3.96 - Cross-Site Request Forgery via admin_action_ucp_dismiss_notice MEDIUM (4.3) The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the dismiss_notice function called via the admin_action_ucp_dismiss_notice action. This makes it possible for unauthenticated attackers to dismiss plugin notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: 2023-06-09T05:33:09.916Z Updated: 2026-04-08T16:32:48.697Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/031a1203-6b0d-453b-be8a-12e7f55cb401?source=cve https://plugins.trac.wordpress.org/browser/under-construction-page/trunk/under-construction.php?rev=2848705#L901	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.

Under Construction

PURL mappings

Vulnerability references

Contribute