cbcvebase.
CVE-2021-38314
published 2021-09-02

CVE-2021-38314: The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the…

PriorityP350medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
28.96%
97.9th percentile
The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`.

Affected

2 ranges
VendorProductVersion rangeFixed in
redux.iogutenberg_template_library_redux_framework4.2.11 – 4.2.11
reduxgutenberg_template_library_redux_framework<= 4.2.11

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action={{md5(replace('http://HOST/-redux','HOST',Hostname))}}
url/wp-admin/admin-ajax.php?action={{md5(replace('https://HOST/-redux','HOST',Hostname))}}
pathredux-core/class-redux-core.php
yara
rule CVE_2021_38314_Redux_AJAX_Probe { strings: $path = "/wp-admin/admin-ajax.php?action=" $hash = /[a-f0-9]{32}/ condition: $path and $hash }
  • The vulnerable AJAX action parameter is a predictable md5 hash: md5('<site_url>-redux'). Monitor GET requests to /wp-admin/admin-ajax.php where the `action` parameter is a 32-character lowercase hex string (md5 format) with no other recognizable action name.
  • A successful exploitation response body is a 32-character lowercase hex string (unsalted md5 of AUTH_KEY+SECURE_AUTH_KEY) with body length under 50 bytes. Alert on 200 responses to admin-ajax.php matching this pattern.
  • The second-stage AJAX action (for plugin/PHP version enumeration) is md5(md5('<site_url>-redux')+'-support'). Both action hashes should be computed and monitored for each protected WordPress site.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.