WordPress: Wordfence researchers have found two vulnerabilities in a popular plugin installed on more than 1 million websites around the world. WordPress platform. Security holes allow hackers to install and remove extensions and access potentially sensitive information about a website’s configuration.
Problems have been found in the Gutenberg Template Library & Redux Framework plugin, which should be updated as soon as possible, researchers recommend. “While neither flaw can be used directly to take control of a website, both vulnerabilities could be useful tools in the hands of a skilled attacker,” they say.
The first bug (CVE-2021-38312) is considered very serious and is rated 7.1 on a scale of up to 10 on the Common Vulnerability Scoring System (CVSS). The vulnerability comes with the use of the REST API plugin, which handles requests to install and manage Gutemberg system blocks.
The flaw affects the site’s permissions and eventually leads to vulnerabilities. Users with less privilege, such as contributors and authors, would have the option to install any plugin on the site, the company emphasizes.
The second vulnerability (CVE-2021-38314) is of moderate severity and is rated at 5.3 on the CVSS scale. The error can be used to obtain potentially confidential information such as the PHP version, active plugins on the site and their versions. The data can be used for more robust attacks, including potential intrusion.