WordPress Plugin Leaves 1 Million Websites Vulnerable to Hackers

WordPress: Wordfence researchers have found two vulnerabilities in a popular plugin installed on over 1 million websites built around the WordPress platform. Security holes can allow hackers to install and delete extensions and access potentially sensitive information about a website’s configuration.

Problems were found in the Gutenberg Template Library & Redux Framework plugin, which should be updated as soon as possible, researchers recommend. “While neither flaw can be used directly to take control of a website, both vulnerabilities can be useful tools in the hands of a skilled attacker,” they say.

Vulnerabilities found

The first bug (CVE-2021-38312) is considered to be of high severity and is rated 7.1 on a scale of up to 10 on the Common Vulnerability Scoring System (CVSS). The security hole comes with the use of the REST API plugin, which processes requests to install and manage Gutemberg system blocks.

The flaw affects the site’s permissions and ends up creating points of vulnerability. Users with less privileges, such as contributors and authors, would have the ability to install any plugin on the site, the company points out.

The second vulnerability (CVE-2021-38314) has medium severity and is rated at 5.3 on the CVSS scale. The error could be used to obtain potentially confidential information such as PHP version, active plugins on the site and their versions. The data can be used in more robust attacks, including possible intrusion.

Emily Charlotes

Next Post

GM, Ford halt some production as global shortage of computer chips worsens

Sun Sep 5 , 2021
Posted: Sep 2, 2021 / 08:28 AM PDT / Updated: Sep 2, 2021 / 03:12 PM PDT In this March 24, 2021 file photo, mid-sized pickup trucks and full-size vans are seen in a parking lot outside a General Motors assembly plant where they are produced in Wentzville, Mo. The […]