Contents:
Wordfence researchers have recently discovered that more than 1 million WordPress websites were affected by Gutenberg Template Library & Redux Framework vulnerabilities.
As explained in a blog post, one vulnerability (CVE-2021-38312) enabled users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any post or page via the REST API, while a second flaw (CVE-2021-38314) allowed unauthenticated threat actors to access potentially sensitive data about a site’s configuration.
Image Source: Redux.io
CVE-2021-38312
To extend the functionality of a site, the Gutenberg Template Library & Redux Framework plugin allows site owners to add blocks and block templates by choosing them from a library. For this to happen, it uses the WordPress REST API to process requests to list and install available blocks, manage existing blocks, and so on.
As detailed by the researchers,
While the REST API Endpoints registered under the redux/v1/templates/ REST Route used a permission_callback to verify a user’s permissions, this callback only checked whether or not the user sending the request had the edit_posts capability. Users with lower permissions that should not be fully trusted for the implemented functionality, such as contributors and authors, have this capability.
As a result, users with lower permissions could install any plugin in the WordPress repository via the redux/v1/templates/plugin-install endpoint, or they could use the redux/v1/templates/delete_saved_block endpoint to delete posts.
CVE-2021-38314
This vulnerability exists due to the fact that the Gutenberg Template Library & Redux Framework plugin registers several AJAX actions available to unauthenticated users, making it possible to uncover what the $support_hash for a site would be.
This $support_hash AJAX action, which was also available to unauthenticated users, called the support_args function in redux-core/inc/classes/class-redux-helpers.php, which returned potentially sensitive information such as the PHP version, active plugins on the site and their versions, and an unsalted md5 hash of the site’s AUTH_KEY and SECURE_AUTH_KEY.
The researchers added that although neither of these vulnerabilities could be used directly to take over a website, both flaws could be useful tools in the hands of a skilled threat actor.
A patch has already been issued by Redux.io, in version 4.2.13, and users are strongly recommended to update to the latest version of the plugin as soon as possible.
Not the First WordPress Plugin Problem
Back in February, the same security researchers disclosed a set of vulnerabilities in WordPress’ Elementor plugin which affected more than 7 million websites. The exploit was designated as a Stored Cross-Site Scripting (XSS) vulnerability and had the ability to allow attackers to take full control of a website.
A month later, the Wordfence Threat Intelligence team revealed two vulnerabilities in the Facebook for WordPress plugin that granted hackers the ability to gain remote code execution due to a PHP Object Injection vulnerability and inject malicious JavaScript due to a CSRF vulnerability.
In May, several WordPress plugin vulnerabilities that got assigned a CVSS score of 9.8 were discovered. These flaws made it possible for an attacker to escalate its user privileges and upload malicious code, resulting in the complete takeover of a WordPress site.
In June, security researchers have warned of a dangerous new zero-day vulnerability contained in a WordPress plugin actively exploited in the wild. Threat actors who succeeded to exploit the Fancy Product Designer vulnerability can avoid built-in scans blocking harmful files uploading to deploy executable PHP files on websites where the plugin is installed.