During a security research I found an authenticated Stored XSS vulnerability. The name of the plugin is: underConstruction, the version of the affected plugin: < 1.21


The plugin does not sanitise or escape the "Display a custom page using your 
own HTML" setting before outputting it, allowing high privilege 
users to perform Cross-Site Scripting attacks even when the 
unfiletred_html capability is disallowed.


In the plugin's settings, active Under Contraction feature, select 
"Display a custom page using your own HTML" then put the following payload 
in the "Under Construction Page HTML" field: 

<svg onload=alert(/XSS/)>

The XSS will be triggered in the homepage (when viewed as non admin) 

Additional information

WPSCAN link: https://wpscan.com/vulnerability/3e8bd875-2435-4a15-8ee8-8a00882b499c


NIST LINK: https://nvd.nist.gov/vuln/detail/CVE-2022-1896

Plugin has more than 80,000+ active installations.