CVE-2021-38312

Public Exploit

Gutenberg Template Library & Redux Framework <= 4.2.11 Incorrect Authorization check to Arbitrary plugin installation and post deletion

Description

The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress used an incorrect authorization check in the REST API endpoints registered under the “redux/v1/templates/” REST Route in “redux-templates/classes/class-api.php”. The `permissions_callback` used in this file only checked for the `edit_posts` capability which is granted to lower-privileged users such as contributors, allowing such users to install arbitrary plugins from the WordPress repository and edit arbitrary posts.

References

Link	Tags
https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/	third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2021-38312?: CVE-2021-38312 has been scored as a high severity vulnerability.
How to fix CVE-2021-38312?: To fix CVE-2021-38312, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-38312 being actively exploited in the wild?: It is possible that CVE-2021-38312 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-38312?: CVE-2021-38312 affects Redux.io Gutenberg Template Library & Redux Framework.

Description

Categories

CWE-280 – Improper Handling of Insufficient Permissions or Privileges

CWE-863 – Incorrect Authorization

References

Frequently Asked Questions