The Gutenberg Template Library & Redux Framework plugin for WordPress, which is deployed on over 1 million websites, is a collection of blocks that allow publishers to quickly create websites using pre-built blocks. This has two vulnerabilities.
The first vulnerability (CVE-2021-38312) is rated as high-severity on the CVSS scale, with a score of 7.1 out of 10. It’s caused by the plugin’s use of the WordPress REST API, which handles requests to install and manage blocks.
The WordPress REST API allows apps to communicate with the user’s WordPress site by sending and receiving data in JSON objects. It’s the backbone of the WordPress Block Editor, and it may also help the user’s theme, plugin, or custom app create new, more sophisticated interfaces for managing and publishing the user’s site’s content.
Users with lower rights, such as contributors and authors, may utilize the redux/v1/templates/plugin-install endpoint to install any plugin from the WordPress repository, or the redux/v1/templates/delete_saved_block endpoint to delete posts, according to the researchers.
The second vulnerability, a medium-severity flaw (CVE-2021-38314), has a CVSS score of 5.3. It exists because the Gutenberg Template Library & Redux Framework plugin registers numerous AJAX actions that are available to unauthenticated users, one of which is deterministic and predictable, allowing for the discovery of a site’s $support_hash.
This $support_hash AJAX action, which was also available to unauthenticated users, called the support_args function in redux-core/inc/classes/class-redux-helpers.php, which returned potentially sensitive information such as the PHP version, An attacker may use the information to plot a website takeover using other vulnerable plugins.