CVE-2021-39320: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2021-39320) affects the underConstruction WordPress plugin versions 1.18 and below. The issue was discovered and reported by Ram Gall from Wordfence, with public disclosure occurring on August 31, 2021. The vulnerability exists in the ucOptions.php file where the plugin improperly handles the raw value of $GLOBALS['PHP_SELF'] (WPScan).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 score is 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The technical root cause stems from the plugin's failure to properly escape the PHP_SELF variable before outputting it in an attribute, specifically in the ucOptions.php file (Wordfence).

When exploited, this vulnerability allows attackers to perform reflected Cross-Site Scripting attacks by injecting malicious code in the request path. This is particularly concerning on configurations running Apache with modPHP (NVD).

The vulnerability has been fixed in version 1.19 of the underConstruction plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).