A third party WordPress Gutenberg Template Library plugin with over a million users was discovered to have two vulnerabilities. Successful exploitation of these vulnerabilities could create an indirect path toward a total site takeover.
The WordPress plugin, Gutenberg Template Library & Redux Framework, was discovered by WordPress security company WordFence to be vulnerable to two specific attacks.
Gutenberg Template Library & Redux Framework WordPress Plugin
This plugin is a library of WordPress Gutenberg blocks that allow publishers to easily build websites using the pre-made building “blocks” when creating a website using the Gutenberg interface.
According to the official plugin description:
“Quickly create full pages in WordPress’ Gutenberg
Supercharge the Gutenberg editor with our ever-growing library of WordPress Blocks and templates. Discover what’s possible and implement any design on your website in virtually no time at all.”
One of the vulnerabilities takes advantage of a less secure code interface with the WordPress REST-API. The REST-API is a feature that allows plugins to interface with the CMS and make changes within the website.
The WordPress REST-API developer page describes it like this:
It is the foundation of the WordPress Block Editor, and can likewise enable your theme, plugin or custom application to present new, powerful interfaces for managing and publishing your site content.
…the most important thing to understand about the API is that it enables the block editor and modern plugin interfaces without compromising the security or privacy of your site.”
Technically, when a plugin interface is securely implemented by plugin coders, the WordPress REST-API does not present a security issue.
Gutenberg Template Library & Redux Framework Vulnerabilities
There are two vulnerabilities. Neither of these vulnerabilities allow an attacker to take over a website.
However the vulnerabilities do allow the attackers to institute a series of changes that can then lead to a total site takeover.
The first vulnerability allows an attacker with contributor or author level permissions to install any vulnerable plugin that’s in the WordPress repository and from there take advantage of those vulnerabilities to execute an attack.
The second vulnerability is described as an Unauthenticated Sensitive Information Disclosure vulnerability by WordFence.
The word “unauthenticated” means that the attacker does not need to be signed into the WordPress site in order to execute the attack.
This particular vulnerability allowed an attacker to retrieve sensitive information about the WordPress site. This allows the attacker to identify vulnerable plugins that can be exploited.
According to WordFence:
“This $support_hash AJAX action, which was also available to unauthenticated users, called the support_args function in redux-core/inc/classes/class-redux-helpers.php, which returned potentially sensitive information such as the PHP version, active plugins on the site and their versions, and an unsalted md5 hash of the site’s AUTH_KEY and SECURE_AUTH_KEY.
This would be most useful in cases where a separate plugin with an additional vulnerability was installed, as an attacker could use the information to save time and plan an intrusion.”
Users Encouraged to Update their Plugins
WordFence strongly encouraged all users of the plugin to update to at least version 4.2.13 of the Gutenberg Template Library & Redux Framework WordPress plugin.
Read the WordFence announcement
Over 1 Million Sites Affected by Gutenberg Template Library & Redux Framework Vulnerabilities