Wordfence has revealed two vulnerabilities that have an effect on customers of the Redux Framework plugin, which has extra just lately come to be know because the “Gutenberg Template Library & Redux Framework” on WordPress.org. Extendify bought the plugin from its creator, Dōvy Paukstys, in November 2020, in a deal that was not extremely publicized. It’s at the moment lively on greater than 1 million WordPress websites.
All through most of its historical past, Redux has been often known as a preferred choices framework for themes and plugins. In 2020, Paukstys relaunched the framework with a give attention to Gutenberg templates. Customers can now browse greater than 1,000 templates from contained in the block editor.
It’s this new template-browsing characteristic that was discovered to be weak in Wordfence’s latest safety report, as a result of a lax permissions examine on the WP REST API endpoints the plugin makes use of to course of requests in its template library. On August 3, 2021, Wordfence disclosed one high-severity vulnerability described as an “Incorrect Authorization Resulting in Arbitrary Plugin Set up and Submit Deletion” and a lower-severity “Unauthenticated Delicate Info Disclosure” vulnerability to the plugin’s house owners. The report revealed this week describes the character of the risk:
One vulnerability allowed customers with decrease permissions, reminiscent of contributors, to put in and activate arbitrary plugins and delete any put up or web page through the REST API. A second vulnerability allowed unauthenticated attackers to entry doubtlessly delicate details about a web site’s configuration.
Extendify responded instantly and shipped a patched model (4.2.13) of the Redux Framework on August 11, 2021. On the time of publishing, greater than 71% of websites utilizing the Redux Framework plugin are operating on older variations that stay weak. Customers are suggested to replace to the newest model as a way to get the safety patch, particularly now that Wordfence has revealed an article exhibiting how attackers might doubtlessly exploit these vulnerabilities.