Countless websites are vulnerable due to two security gaps in the WordPress plug-in Gutenberg Template Library & Redux Framework. After successful attacks, attackers could install plug-ins with malicious code or delete posts.
Patch now!
According to the official WordPress plugin website the software has over a million active installations. This allows you to manage and use templates for website designs, among other things. Admins should ensure that they have version 4.2.13 installed. The developers state that the two vulnerabilities (CVE-2021-38312, “high“, CVE-2021-38314, “middle“) to have closed.
Due to insufficient checks in the WordPress REST API, an attacker registered as an author could install any plug-ins from the WordPress repository. If he uploads software prepared with malicious code there, this could initiate the takeover of a website after installation.
By successfully exploiting the second loophole, an attacker could access configuration information from websites that was actually sealed off. The discoverers of the gaps in Wordfence state in a postthat the plug-in developers released a security patch within less than a week.
(from)
