vulnerability

WordPress Plugin: redux-framework: CVE-2021-38312: Incorrect Authorization

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:L/Au:S/C:N/I:P/A:N)	Sep 1, 2021	May 15, 2025	Jul 10, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:N/I:P/A:N)

Published

Sep 1, 2021

Added

May 15, 2025

Modified

Jul 10, 2025

Description

The Gutenberg Template Library and Redux Framework plugin less than or equal to 4.2.12 for WordPress used an incorrect authorization check in the REST API endpoints registered under the “redux/v1/templates/” REST Route in “redux-templates/classes/class-api.php”. The `permissions_callback` used in this file only checked for the `edit_posts` capability which is granted to lower-privileged users such as contributors, allowing such users to install arbitrary plugins from the WordPress repository and edit arbitrary posts.

Solution

redux-framework-plugin-cve-2021-38312

References

URL-https://www.cve.org/CVERecord?id=CVE-2021-38312
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/2ba556d0-48f9-4953-a5aa-876284e56360?source=api-prod
CVE-2021-38312
https://attackerkb.com/topics/CVE-2021-38312
CWE-863
CWE-280

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today