During a security research I found an authenticated Stored XSS vulnerability. The name of the plugin is: underConstruction, the version of the affected plugin: < 1.21
The plugin does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.
In the plugin's settings, active Under Contraction feature, select "Display a custom page using your own HTML" then put the following payload in the "Under Construction Page HTML" field: <svg onload=alert(/XSS/)> The XSS will be triggered in the homepage (when viewed as non admin)
NIST CVSS SCORE: 4.8
Plugin has more than 80,000+ active installations.