CVE-2021-38312

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-38312

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-38312.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-38312

Published

2021-09-02T17:15:09Z

Modified

2025-01-14T09:29:48.947044Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress used an incorrect authorization check in the REST API endpoints registered under the “redux/v1/templates/” REST Route in “redux-templates/classes/class-api.php”. The permissions_callback used in this file only checked for the edit_posts capability which is granted to lower-privileged users such as contributors, allowing such users to install arbitrary plugins from the WordPress repository and edit arbitrary posts.

References

https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/

Affected packages

Git / github.com/reduxframework/redux-framework

Affected ranges

Type: GIT
Repo: https://github.com/reduxframework/redux-framework
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

19be1fa302fd9744226eddeb50b618cacc208e95

Affected versions

3.*

3.0.0-beta

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.1.0

3.1.2

3.1.3

3.1.4

3.1.6

3.1.8

3.1.9

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.8

3.2.9

3.2.9.13

3.3.0

3.3.1.1

3.3.3

3.3.4

3.3.6

3.3.6.8

3.3.8

3.3.9.4

3.4.0

3.4.3.6

3.5.0

3.5.1

3.5.3

3.5.4.3

3.5.5

3.5.5.10

3.5.7

3.5.8.1

3.5.9

3.6.0.1

3.6.15

3.6.16

3.6.17

3.6.18

3.6.2

3.6.4

3.6.5

4.*

4.1.28

4.1.29

4.2.0

4.2.1

4.2.10

4.2.11

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

Other

test2