CVE-2023-0832 in Under Construction Plugin
Summary
by MITRE • 06/09/2023
The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the install_weglot function called via the admin_action_install_weglot action. This makes it possible for unauthenticated attackers to perform an unauthorized install of the Weglot Translate plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2023-0832 affects the Under Construction plugin for WordPress, specifically versions up to and including 3.96. This represents a critical security flaw that undermines the integrity of WordPress administrative functions and exposes sites to unauthorized modifications. The issue manifests through a cross-site request forgery vulnerability that allows attackers to manipulate the plugin's installation process without proper authentication. The vulnerability stems from inadequate security controls within the plugin's administrative interface, creating an exploitable pathway for malicious actors to install third-party plugins without administrator consent.
The technical flaw resides in the install_weglot function which is triggered through the admin_action_install_weglot action hook. This function fails to implement proper nonce validation, a fundamental security mechanism designed to prevent unauthorized administrative actions. Nonce validation serves as a cryptographic token that ensures requests originate from legitimate administrative sources and have not been tampered with during transmission. The absence of this validation creates a direct attack vector where malicious actors can construct forged requests that appear to come from authenticated administrators. This vulnerability specifically targets the plugin's installation workflow, allowing attackers to silently install the Weglot Translate plugin on compromised sites.
The operational impact of this vulnerability extends beyond simple unauthorized plugin installations, potentially exposing WordPress sites to additional security risks. When an attacker successfully installs the Weglot Translate plugin through a forged request, they gain the ability to modify site content, inject malicious code, or establish backdoor access points. The attack requires social engineering to trick administrators into clicking malicious links, but once successful, the consequences can be severe. This vulnerability effectively bypasses WordPress's built-in security controls and administrative permissions, allowing attackers to modify site configurations and potentially compromise the entire WordPress installation. The impact is particularly concerning given that many WordPress administrators may not be aware of the compromised plugin's presence until significant damage has occurred.
Organizations should immediately update to the latest version of the Under Construction plugin to remediate this vulnerability, as no official patches were available at the time of reporting. The recommended mitigation strategy involves implementing comprehensive monitoring of administrative actions and plugin installations to detect suspicious activities. Security teams should also review and enforce strict access controls for administrative functions, ensuring that only authorized personnel can perform critical operations. Additionally, implementing web application firewalls and content security policies can help detect and prevent exploitation attempts. This vulnerability aligns with CWE-352, which describes Cross-Site Request Forgery, and maps to ATT&CK technique T1059.001 for executing malicious code through compromised administrative interfaces. Organizations should also consider implementing multi-factor authentication for administrative accounts and establishing regular security audits to identify similar vulnerabilities in other plugins and themes.