| |
Vulnerability CVE-2021-38312
Published: 2021-09-02
| Description: |
The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress used an incorrect authorization check in the REST API endpoints registered under the ??redux/v1/templates/? REST Route in ??redux-templates/classes/class-api.php?. The `permissions_callback` used in this file only checked for the `edit_posts` capability which is granted to lower-privileged users such as contributors, allowing such users to install arbitrary plugins from the WordPress repository and edit arbitrary posts. |
Type:
CWE-863 (Incorrect Authorization)
CVSS2 => (AV:N/AC:L/Au:S/C:N/I:P/A:N)
| CVSS Base Score |
Impact Subscore |
Exploitability Subscore |
4/10 |
2.9/10 |
8/10 |
| Exploit range |
Attack complexity |
Authentication |
Remote |
Low |
Single time |
| Confidentiality impact |
Integrity impact |
Availability impact |
None |
Partial |
None |
References: |
https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/
|
|
|
Copyright 2024, cxsecurity.com
|
|
|
