Title text on background showing a crowd and a stylized word Redux

Over 1 Million Sites Affected by Gutenberg Template Library & Redux Framework Vulnerabilities

On August 3, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for two vulnerabilities we discovered in the Gutenberg Template Library & Redux Framework plugin, which is installed on over 1 million WordPress sites. One vulnerability allowed users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any post or page via the REST API. A second vulnerability allowed unauthenticated attackers to access potentially sensitive information about a site’s configuration.

The plugin’s publisher, Redux.io, replied almost immediately to our initial contact and we provided full disclosure the same day, on August 3, 2021. A patched version of the plugin, 4.2.13, was released on August 11, 2021.

Wordfence Premium users received a firewall rule to protect against the vulnerability targeting the REST API on August 3, 2021. Sites still running the free version of Wordfence will receive the same protection after 30 days, on September 2, 2021.

Description: Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion
Affected Plugin: Gutenberg Template Library & Redux Framework
Plugin Slug: redux-framework
Affected Versions: <= 4.2.11
CVE ID: CVE-2021-38312
CVSS Score: 7.1(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 4.2.13

The Gutenberg Template Library & Redux Framework plugin allows site owners to add blocks and block templates to extend the functionality of a site by choosing them from a library. In order to do this, it uses the WordPress REST API to process requests to list and install available blocks, manage existing blocks, and more.

While the REST API Endpoints registered under the redux/v1/templates/ REST Route used a permission_callback to verify a user’s permissions, this callback only checked whether or not the user sending the request had the edit_posts capability. Users with lower permissions that should not be fully trusted for the implemented functionality, such as contributors and authors, have this capability.

This made it possible for a contributor to install not only block templates but any plugin in the WordPress repository via the redux/v1/templates/plugin-install endpoint, though only plugins where the main file matched certain criteria would be successfully activated. While this could not be used directly to take over a site, an attacker could use this functionality to install and activate a vulnerable plugin or combination of plugins and use it to gain further access.

It was also possible for a contributor-level user to delete any post or page using the redux/v1/templates/delete_saved_block endpoint. Additional endpoints registered under this REST route also allowed license management for the Redux plugin, which lower-privileged users should not be able to access.

Description: Unauthenticated Sensitive Information Disclosure
Affected Plugin: Gutenberg Template Library & Redux Framework
Plugin Slug: redux-framework
Affected Versions: <= 4.2.11
CVE ID: CVE-2021-38314
CVSS Score: 5.3(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 4.2.13

The Gutenberg Template Library & Redux Framework plugin registered several AJAX actions available to unauthenticated users in the includes function in redux-core/class-redux-core.php that were unique to a given site but deterministic and predictable.

One of these, the $hash_arg, was based on an md5 hash of the site’s URL with a known “salt” of “-redux”. For instance, a site with the URL of ‘http://examplesite[.]com/’ would have a $hash_arg of “901804a230b5e6399d82dcd782395849”, and thus an AJAX action of wp_ajax_nopriv_901804a230b5e6399d82dcd782395849 would be registered on that site.

			$support_hash = md5( md5( Redux_Functions_Ex::hash_key() . '-redux' ) . '-support' );
			add_action( 'wp_ajax_nopriv_' . $support_hash, array( 'Redux_Helpers', 'support_args' ) );
			add_action( 'wp_ajax_' . $support_hash, array( 'Redux_Helpers', 'support_args' ) );
			$hash_arg = md5( trailingslashit( network_site_url() ) . '-redux' );
			add_action( 'wp_ajax_nopriv_' . $hash_arg, array( 'Redux_Helpers', 'hash_arg' ) );
			add_action( 'wp_ajax_' . $hash_arg, array( 'Redux_Helpers', 'hash_arg' ) );
			add_action( 'wp_ajax_redux_support_hash', array( 'Redux_Functions', 'support_hash' ) );

Sending an AJAX request with this action resulted in a response containing a second hash.

		public static function hash_arg() {
			echo esc_html( md5( Redux_Functions_Ex::hash_key() . '-redux' ) );
			die();
		}

Based on this, it was possible to determine what the $support_hash for a site would be by taking the hash returned in the response from the $hash_arg AJAX action, appending “-support” as a “salt” and taking the md5 hash of that value.

This $support_hash AJAX action, which was also available to unauthenticated users, called the support_args function in redux-core/inc/classes/class-redux-helpers.php, which returned potentially sensitive information such as the PHP version, active plugins on the site and their versions, and an unsalted md5 hash of the site’s AUTH_KEY and SECURE_AUTH_KEY.

This would be most useful in cases where a separate plugin with an additional vulnerability was installed, as an attacker could use the information to save time and plan an intrusion.

Timeline

August 3, 2021 – Wordfence Threat Intelligence finishes analyzing the Gutenberg Template Library & Redux Framework plugin. We release a firewall rule to Wordfence Premium users and initiate the disclosure process. The plugin developer responds and we provide full disclosure.
August 11, 2021 – A patched version of the plugin, 4.2.13, becomes available.
September 2, 2021 – The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we covered a high-severity vulnerability in Gutenberg Template Library & Redux Framework that allowed contributor-level users to install and activate plugins and delete posts and pages from a site, as well as a lower-severity vulnerability that disclosed potentially sensitive information. While neither of these could be used directly to take over a site, both vulnerabilities could be useful tools in the hands of a skilled attacker.

Wordfence Premium users have been protected from the REST API vulnerability since August 3, 2021. Sites still running the free version of Wordfence will receive the same protection tomorrow, September 2, 2021.

We strongly recommend that all users update to the latest version of the plugin, 4.2.14 as of this writing, as soon as possible. If you know of any friends or colleagues who are using this plugin, we encourage you to share this article with them.

Did you enjoy this post? Share it!

Comments

3 Comments
  • It would appear that there are other plugins that were using this plugin as an extension to their own and including it within their plugin/theme:

    1. AMP for WP: https://wordpress.org/plugins/accelerated-mobile-pages/
    2. BuddyBoss Theme: https://www.buddyboss.com/

  • Redux framework is not only distributed as a plugin. Many theme/plugin developers (including premium products) also used this library as a library. Those site owners do not have the option to one-click update. Knowing the WordPress ecosystem for nearly a decade, I would assume a large number of those vulnerable sites will never be upgraded (people often unsubscribe from premium produces once they have the product and does not wait for an update).

    This article showing how one can potentially exploit, I don't think this was a good move from Wordfence to provide that level of details.

    I appreciate what you guys do but you need to consider some things case by case basis. Redux framework is not a plugin everyone can "One click update".

    • Hi Sisir,

      We took this into consideration - although we weren't able to do an exhaustive search of premium plugins, our search through the free plugin and themes directory (as well as the install count of the redux-framework slug itself) indicated that the vast majority of plugins and theme installations that include the redux framework do so in such a way that it can be updated via the plugin repository. Additionally any plugins that include the vulnerable REST API functionality on their own without separately installing the Redux plugin would be covered by the firewall rule that is now available to free Wordfence users.