Technology

New WordPress Plug-in Vulnerability Lets Hacker Access Sensitive Data of Over 1 Million Websites

2 Mins read
WordPress Plug-in Vulnerability Let Hackers Access Sensitive information Over 1 Million Websites

The Threat Intelligence team of Wordfence security firm disclosed two vulnerabilities in the Gutenberg Template Library & Redux Framework plugin on August 3, 2021, and it’s installed on over 1 million WordPress sites.

However, after detecting the vulnerabilities, the experts stated that one of the vulnerabilities enabled the users with lower permissions, like contributors, to install and to operate the arbitrary plugins, not only this they can also delete any post or page with the help of the REST API.

On the other hand, the second vulnerability enabled the threat actors to access potentially all kinds of delicate data regarding a site’s configuration. However, they noted that the Wordfence Premium users have got a firewall rule, as it will eventually help them to protect against the vulnerability that is continuously targeting the REST API.

Vulnerabilities Detected

  • Description: Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion
  • Affected Plugin: Gutenberg Template Library & Redux Framework
  • Plugin Slug: redux-framework
  • Affected Versions: <= 4.2.11
  • CVE ID: CVE-2021-38312
  • CVSS Score: 7.1(High)
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
  • Researcher/s: Ramuel Gall
  • Fully Patched Version: 4.2.13
  • Description: Unauthenticated Sensitive Information Disclosure
  • Affected Plugin: Gutenberg Template Library & Redux Framework
  • Plugin Slug: redux-framework
  • Affected Versions: <= 4.2.11
  • CVE ID: CVE-2021-38314
  • CVSS Score: 5.3(Medium)
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Researcher/s: Ramuel Gall
  • Fully Patched Version: 4.2.13

After detecting the vulnerabilities the security researchers have contacted the publisher of the plugins Redux.io, and they replied to the request immediately. Soon after that, a fully patched version of the plugin, 4.2.13, has been released on August 11, 2021.

Moreover, the analysts of Gutenberg Template Library along with the Redux Framework plugin are generally allowing the site proprietors to add blocks and block templates as it will help the owners to increase the functionality of their site, and they can implement it by choosing them from a library. 

To perform this procedure the owners are required to use the WordPress REST API to prepare requests to list and install possible blocks, maintain existing blocks, and many more.

These two vulnerabilities are a high-severity vulnerability that has been detected in the Gutenberg Template Library as well as in Redux Framework.

These vulnerabilities have conceded contributor-level users to install and initiate plugins and after that, they can easily delete posts and pages from a site, and the other vulnerability has been found as a lower-severity vulnerability that uncovered potentially delicate information. 

The threat actors are using these vulnerabilities as tools to implement all their planned operations and attacks. Therefore, users must update to the latest version of the plugin, 4.2.14 as soon as possible, because it is fully patched and will help the users to stay safe from this kind of attack.

105 posts

About author
Webhack Solutions is a India based Digital Marketing Company which provides all Social Media Marketing Solutions , PR and many more.
Articles
Related posts
TechnologyTrending News

Employees sue Twitter for mass layoffs with zero notice

1 Mins read
Elon Musk’s ownership of Twitter has started with a bang. Within just one week after the $44 billion purchase, Musk has fired…
TechnologyTrending News

Elon Musk stays firm on his decision to charge users for the blue check

1 Mins read
When Elon Must finalized his purchase of Twitter on October 27, people had a feeling that changes were coming. This sentiment has…
TechnologyTrending News

Elon Musk fires top Twitter executives after completing his takeover

1 Mins read
The Elon Musk-Twitter takeover saga finally came to a conclusion late Thursday, October 27. The world’s richest man closed the $44 billion…