^{CVE-2021-38314:}Redux Framework WordPress plugin vulnerability allows unauthenticated users to access sensitive site information through predictable AJAX actions.

The Gutenberg Template Library & Redux Framework plugin for WordPress (versions 4.2.11 and earlier) contained a security vulnerability where several AJAX actions were registered and made available to unauthenticated users. These actions were implemented in the `includes` function within the `redux-core/class-redux-core.php` file. Although the AJAX actions were unique to each site, they were deterministic and predictable because they were generated using an md5 hash of the site URL with a known salt value of '-redux', followed by another md5 hash of the previous result with a known salt value of '-support'. By exploiting this vulnerability, unauthenticated attackers could retrieve sensitive information including a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of the site's `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`.

Overview

This vulnerability (CVE-2021-38314) affects over 1 million WordPress sites using the Redux Framework plugin version 4.2.11 or earlier. The issue stems from predictable AJAX action names that allow unauthenticated users to access sensitive site information. The vulnerability is classified as CWE-916 (Use of Password Hash With Insufficient Computational Effort), indicating that the hashing mechanism used to "protect" these AJAX actions was inadequate. An attacker can exploit this vulnerability to gather information about the site's configuration, which could be used to identify other potential vulnerabilities or plan more targeted attacks. The exposed information includes active plugins and their versions, PHP version, and hashed authentication keys.

Remediation

To remediate this vulnerability, site administrators should:

1. Update the Gutenberg Template Library & Redux Framework plugin to version 4.2.12 or later, which addresses this security issue.
2. If immediate updating is not possible, consider temporarily deactivating the plugin until it can be updated.
3. Regularly audit your WordPress installation for outdated plugins and themes.
4. Implement a Web Application Firewall (WAF) that can help protect against common WordPress vulnerabilities.
5. Consider changing WordPress authentication keys and salts after updating, as previous values may have been compromised.
6. Monitor site logs for any suspicious activity that might indicate exploitation attempts.

References

1. Wordfence Security Advisory: https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/
2. WordPress Plugin Directory: https://wordpress.org/plugins/redux-framework/
3. CWE-916: https://cwe.mitre.org/data/definitions/916.html
4. WordPress Security Keys Documentation: https://wordpress.org/support/article/editing-wp-config-php/#security-keys