This article has been indexed from E Hacking News – Latest Hacker News and IT Security News
The Gutenberg Template Library & Redux Framework plugin for WordPress, which is deployed on over 1 million websites, has two vulnerabilities. According to the researchers, these might enable arbitrary plugin installation, post deletions, and access to potentially sensitive information about a site’s configuration. Redux.io’s plugin provides a variety of templates and building blocks for developing web pages in WordPress’ Gutenberg editor.
This plugin is a collection of WordPress Gutenberg blocks that allow publishers to quickly create websites using pre-built “blocks” while utilizing the Gutenberg interface.
The first vulnerability (CVE-2021-38312) is rated as high-severity on the CVSS scale, with a score of 7.1 out of 10. It’s caused by the plugin’s use of the WordPress REST API, which handles requests to install and manage blocks. According to Wordfence, it fails to properly allow user permissions.
The WordPress REST API allows apps to communicate with the user’s WordPress site by sending and receiving data in JSON (JavaScript Object Notation) objects. It’s the backbone of the WordPress Block Editor, and it may also help the user’s theme, plugin, or custom app create new, more sophisticated interfaces for managing and publishing the user’s site’s content.
“While the REST API Endpoints registered under the redux/v1/templates/ REST Route used a permission_callback to verify a user’s permissions, this call-back only checked whether or not the user sending the request had the edit_posts capability,” Wordfence researchers said in a Wednesday
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: WordPress Sites Affected by Bugs in Gutenberg Template Library and Redux Framework