Does underConstruction have any unpatched vulnerabilities?

No. All known vulnerabilities in underConstruction have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is underConstruction compatible with WordPress 6.4.8?

According to WordPress.org data, underConstruction 1.22 has been tested up to WordPress 6.4.8. Check the plugin's changelog for the latest compatibility information.

How often is underConstruction updated?

underConstruction was last updated on Mar 8, 2024. Frequent updates are generally a positive security signal.

What is underConstruction's security score?

underConstruction has a WP-Safety security score of 82/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

underConstruction Security & Risk Analysis

wordpress.org/plugins/underconstruction

Creates a 'Coming Soon' page that will show for all users who are not logged in

40K active installs v1.22 PHP + WP 2.7+ Updated Mar 8, 2024

constructionpreviewprivatesecurityunder-construction

B · Generally Safe

CVEs total5

Unpatched0

Last CVEMar 29, 2024

Plugin page Download

Safety Verdict

Is underConstruction Safe to Use in 2026?

Mostly Safe

Score 82/100

underConstruction is generally safe to use though it hasn't been updated recently. 5 past CVEs were resolved. Keep it updated.

5 known CVEsLast CVE: Mar 29, 2024Updated 2yr ago

Risk Assessment

The "underconstruction" v1.22 plugin presents a mixed security posture. While it demonstrates good practices like using prepared statements for all SQL queries and a relatively low number of entry points, several concerns warrant attention. The plugin has one unprotected AJAX handler, which is a direct attack vector if not properly secured within its implementation. Additionally, only 66% of output is properly escaped, suggesting a potential for Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is not handled with sufficient sanitization in all cases. The vulnerability history is a significant red flag, with 5 known CVEs, including 2 high-severity ones and 3 medium-severity ones, with the most recent being March 29, 2024. This pattern indicates a history of significant security flaws, primarily XSS and CSRF, suggesting a need for more robust input validation and output encoding practices throughout the development lifecycle. While the current version may not have unpatched CVEs and uses some security features like nonce and capability checks, the historical data and the unprotected AJAX handler suggest that users should exercise caution and ensure the plugin is updated regularly with any new security patches.

Key Concerns

Unprotected AJAX handler
Insufficient output escaping (66% proper)
High number of historical vulnerabilities (5 total)
Presence of high-severity historical vulnerabilities (2)
Presence of medium-severity historical vulnerabilities (3)

Vulnerabilities

underConstruction Security Vulnerabilities

CVEs by Year

1 CVE in 2014

2014

1 CVE in 2021

2021

2 CVEs in 2022

2022

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

High

Medium

5 total CVEs

CVE-2024-30548medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

underConstruction <= 1.21 - Authenticated (Administrator+) Stored Cross-Site Scripting

Mar 29, 2024 Patched in 1.22 (6d)

CVE-2022-1896medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

underConstruction <= 1.20 - Authenticated (Admin+) Stored Cross-Site Scripting

May 26, 2022 Patched in 1.21 (607d)

CVE-2022-1895high · 8.8Cross-Site Request Forgery (CSRF)

underConstruction <= 1.19 - Cross-Site Request Forgery to Construction Mode Disabled

May 26, 2022 Patched in 1.20 (607d)

CVE-2021-39320medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

underConstruction <= 1.18 - Reflected Cross-Site Scripting

Aug 31, 2021 Patched in 1.19 (875d)

CVE-2013-2699high · 8.8Cross-Site Request Forgery (CSRF)

underConstruction < 1.09 - Cross-Site Request Forgery

Aug 1, 2014 Patched in 1.09 (3462d)

Code Analysis

Analyzed Mar 16, 2026

underConstruction Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

27 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

66% escaped41 total outputs

Data Flows

All sanitized

Data Flow Analysis

3 flows

<ucOptions> (ucOptions.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

underConstruction Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_uc_get_ip_addressunderConstruction.php:434

WordPress Hooks 7

actiontemplate_redirectunderConstruction.php:380

actionadmin_initunderConstruction.php:381

actionwp_loginunderConstruction.php:382

actionplugins_loadedunderConstruction.php:385

actionadmin_initunderConstruction.php:387

actionadmin_menuunderConstruction.php:395

filterplugin_action_linksunderConstruction.php:429

Maintenance & Trust

underConstruction Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8

Last updatedMar 8, 2024

PHP min version

Downloads1.7M

Community Trust

Rating90/100

Number of ratings111

Active installs40K

Alternatives

underConstruction Alternatives

Eazy Under Construction

eazy-under-construction

Creates a 'Coming Soon' page that will show for all users who are not logged in

500 1 CVE

BRB – Maintenance or Coming Soon

k-brb-maintenance-or-coming-soon

BRB creates a very simple maintenance mode / coming soon page for your site.

100 No CVEs

Under Construction

under-construction-page

Easy to use Under Construction Page & Coming Soon Page. Enable Under Construction Mode in seconds & show you're Under Construction!

600K 3 CVEs

CMP – Coming Soon & Maintenance Plugin by NiteoThemes

cmp-coming-soon-maintenance

Beautiful Coming soon, Maintenance or Landing page on your website, packed with premium features for free.

200K 6 CVEs

My Private Site

jonradio-private-site

Make your WordPress site private with one click for family, projects, or teams. Protection for content, login, and registration.

20K 2 CVEs

Developer Profile

underConstruction Developer Profile

Garrett Grimm

7 plugins · 111K total installs

trust score

Avg Security Score

84/100

Avg Patch Time

881 days

View full developer profile

Detection Fingerprints

How We Detect underConstruction

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/underconstruction/styles/underconstruction-style-common.css/wp-content/plugins/underconstruction/underconstruction.min.js

Script Paths

/wp-content/plugins/underconstruction/scripts/underconstruction-scripts.js

HTML / DOM Fingerprints

JS Globals

underConstruction

FAQ