There are SSRF and RXSS vulnerabilities in the WordPress plugin Under Construction, Coming Soon & Maintenance Mode version 1.1.1. Both vulnerabilities are fixed in version 1.1.2: https://wordpress.org/plugins/under-construction-maintenance-mode/#developers [1] SSRF Here is the relevant code from file includes/mc-get_lists.php: $apiKey = $_POST['apiKey']; $dataCenter = substr( $apiKey , strpos( $apiKey,'-' ) + 1 ); $url = 'https://'. $dataCenter. '.api.mailchimp.com/3.0/lists/'; The user submits the POST parameter "apiKey", and the code constructs a https URL from it without any sanitization and then retrieves it with cURL, which leads to a SSRF bug. POC:
[2] RXSS The code in the same file decodes JSON data fetched from the URL and then displays HTML code from the retrieved data without any HTML escaping, leading to a reflected cross-site scripting issue where the payload is on a different server. POC (attacked.server runs WordPress with a vulnerable version of this plugin, and hacker.server is run by the attacker):
test.json: [[{"id":"