CVE-2021-38314
- Source
- https://cve.org/CVERecord?id=CVE-2021-38314
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-38314.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-38314
- Published
- 2021-09-02T17:15:09.777Z
- Modified
- 2026-04-10T04:37:51.794802Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the
includesfunction inredux-core/class-redux-core.phpthat were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’sAUTH_KEYconcatenated with theSECURE_AUTH_KEY. - References
Affected packages
Git / github.com/reduxframework/redux-framework
Affected versions
3.*
3.0.0-beta
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.1.2
3.1.3
3.1.4
3.1.6
3.1.8
3.1.9
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.8
3.2.9
3.2.9.13
3.3.0
3.3.1.1
3.3.3
3.3.4
3.3.6
3.3.8
3.3.9.4
3.4.0
3.4.3.6
3.5.0
3.5.1
3.5.5
3.5.5.10
3.5.7
3.5.9
3.6.0.1
3.6.15
3.6.16
3.6.17
3.6.18
3.6.5
4.*
4.1.28
4.1.29
4.2.0
4.2.1
4.2.10
4.2.11
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9