CVE-2021-38312

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-38312
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-38312.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-38312
Published
2021-09-02T17:15:09Z
Modified
2025-01-14T09:29:48.947044Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress used an incorrect authorization check in the REST API endpoints registered under the “redux/v1/templates/” REST Route in “redux-templates/classes/class-api.php”. The permissions_callback used in this file only checked for the edit_posts capability which is granted to lower-privileged users such as contributors, allowing such users to install arbitrary plugins from the WordPress repository and edit arbitrary posts.

References

Affected packages

Git / github.com/reduxframework/redux-framework

Affected ranges

Type
GIT
Repo
https://github.com/reduxframework/redux-framework
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

3.*

3.0.0-beta
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.1.2
3.1.3
3.1.4
3.1.6
3.1.8
3.1.9
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.8
3.2.9
3.2.9.13
3.3.0
3.3.1.1
3.3.3
3.3.4
3.3.6
3.3.6.8
3.3.8
3.3.9.4
3.4.0
3.4.3.6
3.5.0
3.5.1
3.5.3
3.5.4.3
3.5.5
3.5.5.10
3.5.7
3.5.8.1
3.5.9
3.6.0.1
3.6.15
3.6.16
3.6.17
3.6.18
3.6.2
3.6.4
3.6.5

4.*

4.1.28
4.1.29
4.2.0
4.2.1
4.2.10
4.2.11
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9

Other

test2