Two security vulnerabilities were discovered in the Gutenberg Template Library & Redux Framework plugin for WordPress, CVE-2021-38312 and CVE-2021-38314. Discovered by Defiant researchers, the vulnerabilities could impact more than a million WordPress websites running the plugin.
Both flaws affect plugin versions prior to version 4.2.11. To avoid any compromise, users of the Gutenberg Template Library should install version 4.2.13, which is the fully patched version.
Fortunately, the plugin’s publisher, Redux.io, replied almost immediately to the researchers’ discovery. Following the quick response, Defiant provided full disclosure the same day, on August 3, 2021.
CVE-2021-38312 and CVE-2021-38314 in Gutenberg Template Library & Redux Framework
The first vulnerability, CVE-2021-38312, could allow users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any post or page via the REST API.
The flaw is rated 7.1 according to the CVSS scale, making it severe in its impact. It stems from the plugin’s use of WordPress REST API, which fails to authorize permissions correctly. “While the REST API Endpoints registered under the redux/v1/templates/ REST Route used a permission_callback to verify a user’s permissions, this callback only checked whether or not the user sending the request had the edit_posts capability,” Defiant explained.
In layman’s terms, users with lower permissions could install any plugin in the WordPress repository using redux/v1/templates/plugin-install endpoint, or delete any post via the redux/v1/templates/delete_saved_block.
The second vulnerability, CVE-2021-38314, could enable unauthenticated attackers to access potentially sensitive information regarding a site’s configuration. The bug’s rating is 5.3 on the CVSS scale.
The flaw is based on several AJAX actions available to unauthenticated users, one of which is deterministic and predictable, thus allowing threat actors to uncover what the $support_hash for a site would be.
“This $support_hash AJAX action, which was also available to unauthenticated users, called the support_args function in redux-core/inc/classes/class-redux-helpers.php, which returned potentially sensitive information such as the PHP version, active plugins on the site and their versions, and an unsalted md5 hash of the site’s AUTH_KEY and SECURE_AUTH_KEY,” the researchers explained.
It is highly recommended that all plugin users immediately update to the latest available version, 4.2.14 as of this writing.