Extendify Patches Vulnerabilities in the Redux Framework Plugin

Extendify Patches Vulnerabilities in the Redux Framework Plugin

Posted by WP Tavern on September 2, 2021 at 8:50 pm
kitty kitty CATegory News
Wordfence has published two vulnerabilities that affect users of the Redux Framework plugin, which has more recently come to be know as the “Gutenberg Template Library & Redux Framework” on WordPress.org. Extendify purchased the plugin from its creator, Dōvy Paukstys, in November 2020, in a deal that was not highly publicized. It is currently active on more than 1 million WordPress sites. Throughout most of its history, Redux has been known as a popular options framework for themes and plugins. In 2020, Paukstys relaunched the framework with a focus on Gutenberg templates. Users can now browse more than 1,000 templates from inside the block editor. It is this new template-browsing feature that was found to be vulnerable in Wordfence’s recent security report, due to a lax permissions check on the WP REST API endpoints the plugin uses to process requests in its template library. On August 3, 2021, Wordfence disclosed one high-severity vulnerability described as an “Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion” and a lower-severity “Unauthenticated Sensitive Information Disclosure” vulnerability to the plugin’s owners. The report published this week describes the nature of the threat: One vulnerability allowed users with lower permissions, such as contributors, to…

…Full post on WP Tavern
Read Full

Similar Posts

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments