Improper Authorization in Gutenberg Template Library & Redux Framework

#VU56297 Improper Authorization in Gutenberg Template Library & Redux Framework

Published: 2021-09-03

Vulnerability identifier: #VU56297

Vulnerability risk: Medium

CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-38312

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Gutenberg Template Library & Redux Framework
Web applications / Modules and components for CMS

Vendor: Redux.io

Description

The vulnerability allows a remote attacker to bypass authotization checks.

The vulnerability exists due to incorrect authorization check in the REST API endpoints registered under the "redux/v1/templates/" REST Route in "redux-templates/classes/class-api.php". A remote authenticated attacker can install arbitrary plugins from the WordPress repository and edit arbitrary posts.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Gutenberg Template Library & Redux Framework: 4.1.20 - 4.2.11

External links
http://www.wordfence.com/vulnerability-advisories/#CVE-2021-39316

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Gutenberg Template Library & Redux Framework plugin for WordPress