Wordfence has published two vulnerabilities that affect users of the Redux Framework plugin, which has more recently come to be know as the “Gutenberg Template Library & Redux Framework” on WordPress.org. Extendify purchased the plugin from its creator, Dōvy Paukstys, in November 2020, in a deal that was not highly publicized. It is currently active on more than 1 million WordPress sites.
Throughout most of its history, Redux has been known as a popular options framework for themes and plugins. In 2020, Paukstys relaunched the framework with a focus on Gutenberg templates. Users can now browse more than 1,000 templates from inside the block editor.
It is this new template-browsing feature that was found to be vulnerable in Wordfence’s recent security report, due to a lax permissions check on the WP REST API endpoints the plugin uses to process requests in its template library. On August 3, 2021, Wordfence disclosed one high-severity vulnerability described as an “Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion” and a lower-severity “Unauthenticated Sensitive Information Disclosure” vulnerability to the plugin’s owners. The report published this week describes the nature of the threat:
One vulnerability allowed users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any post or page via the REST API. A second vulnerability allowed unauthenticated attackers to access potentially sensitive information about a site’s configuration.
Extendify responded immediately and shipped a patched version (4.2.13) of the Redux Framework on August 11, 2021. At the time of publishing, more than 71% of sites using the Redux Framework plugin are running on older versions that remain vulnerable. Users are advised to update to the latest version in order to get the security patch, especially now that Wordfence has published an article showing how attackers could potentially exploit these vulnerabilities.