Gutenberg Template Library & Redux Framework < 4.2.13 – Unauthenticated Sensitive Information Disclosure | CVE 2021-38314 | Plugin Vulnerabilities

Description

Some AJAX actions of the plugin, available to unauthenticated users and used for support features could allow attackers to obtain potentially sensitive information such as the PHP version, active plugins along with their versions, as well as the unsalted MD5 hashes of the site’s AUTH_KEY and SECURE_AUTH_KEY.

Affects Plugins

redux-framework

Fixed in 4.2.13

References

CVE

URL

https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Ram Gall (Wordfence)

Verified

Yes

WPVDB ID

b6e6fa18-a292-49e1-a23b-d30606307455

Timeline

Publicly Published

2021-09-01 (about 4 years ago)

Added

2021-09-01 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2025-12-04

Title

Image Cleanup <= 1.9.2 - Unauthenticated Information Exposure

Published

2023-07-25

Title

Video Conferencing with Zoom < 4.3.0 - Sensitive Data Disclosure

Published

2023-07-18

Title

what3words Address Field < 4.0.0 - Admin+ Sensitive Information Disclosure

Published

2023-08-03

Title

WP Ultimate CSV Importer < 7.9.9 - Imported Files Disclosure

Published

2023-07-19

Title

Essential Addons For Elementor < 5.8.2 - Unauthenticated MailChimp API Key Disclosure