On August 3, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for two vulnerabilities we discovered in the Gutenberg Template Library & Redux Framework plugin, which is installed on over 1 million WordPress sites. One vulnerability allowed users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any post or page via the REST API. A second vulnerability allowed unauthenticated attackers to access potentially sensitive information about a site’s configuration.
The plugin’s publisher, Redux.io, replied almost immediately to their initial contact and they provided full disclosure the same day, on August 3, 2021. A patched version of the plugin, 4.2.13, was released on August 11, 2021.
Wordfence Premium users received a firewall rule to protect against the vulnerability targeting the REST API on August 3, 2021. Sites still running the free version of Wordfence will receive the same protection after 30 days, on September 2, 2021.
Description: Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion
Affected Plugin: Gutenberg Template Library & Redux Framework
Plugin Slug: redux-framework
Affected Versions: <= 4.2.11
CVE ID: CVE-2021-38312
CVSS Score: 7.1(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 4.2.13
The Gutenberg Template Library & Redux Framework plugin allows site owners to add blocks and block templates to extend the functionality of a site by choosing them from a library. In order to do this, it uses the WordPress REST API to process requests to list and install available blocks, manage existing blocks, and more.