CVE-2021-38314
published 2021-09-02CVE-2021-38314: The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the…
PriorityP350medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
28.96%
97.9th percentile
The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redux.io | gutenberg_template_library_redux_framework | 4.2.11 – 4.2.11 | — |
| redux | gutenberg_template_library_redux_framework | <= 4.2.11 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara
rule CVE_2021_38314_Redux_AJAX_Probe { strings: $path = "/wp-admin/admin-ajax.php?action=" $hash = /[a-f0-9]{32}/ condition: $path and $hash }- →The vulnerable AJAX action parameter is a predictable md5 hash: md5('<site_url>-redux'). Monitor GET requests to /wp-admin/admin-ajax.php where the `action` parameter is a 32-character lowercase hex string (md5 format) with no other recognizable action name. ↗
- →A successful exploitation response body is a 32-character lowercase hex string (unsalted md5 of AUTH_KEY+SECURE_AUTH_KEY) with body length under 50 bytes. Alert on 200 responses to admin-ajax.php matching this pattern. ↗
- →The second-stage AJAX action (for plugin/PHP version enumeration) is md5(md5('<site_url>-redux')+'-support'). Both action hashes should be computed and monitored for each protected WordPress site. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Redux Framework <=4.2.11 - Information Disclosure
nuclei·CVSS 5.3
CVE-2021-38314 [MEDIUM] WordPress Redux Framework <=4.2.11 - Information Disclosure
WordPress Redux Framework <=4.2.11 - Information Disclosure
WordPress Redux Framework plugin through 4.2.11 is susceptible to information disclosure. The plugin registers several unique AJAX actions available to unauthenticated users in the includes function in redux-core/class-redux-core.php. These are predictable, given that they are based on an md5 hash of the site URL with a known salt value of -redux and an md5 hash of the previous hash with a known salt value of -support. An attacker can potentially employ these AJAX actions to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of the site's AUTH_KEY concatenated with the SECURE_AUTH_KEY.
Template:
id: CVE-2021-38314
info:
name: WordPress Redux Framework <=4.2.11 - Information D
HackerOne
Unauthenticated Sensitive Information Disclosure on █████████ CVE-2021-38314
hackerone·2025-09-02·CVSS 5.3
CVE-2021-38314 [MEDIUM] Unauthenticated Sensitive Information Disclosure on █████████ CVE-2021-38314
Unauthenticated Sensitive Information Disclosure on █████████ CVE-2021-38314
Report #1452774 was a validated security vulnerability that affected ██████████. The researcher identified an unauthenticated sensitive information disclosure issue (CVE-2021-38314) in the Gutenberg Template Library & Redux Framework plugin version 4.2.11 and below.
Vulnerability Details:
The plugin registered several AJAX actions that were accessible to unauthenticated users. These actions used predictable endpoints based on md5 hashes of the site URL with known salt values ('-redux' and '-support'). This allowed attackers to retrieve sensitive system information without authentication.
HackerOne
CVE-2021-38314 @ https://www.mtn.ci
hackerone·2022-09-05·CVSS 5.3
CVE-2021-38314 [MEDIUM] CVE-2021-38314 @ https://www.mtn.ci
CVE-2021-38314 @ https://www.mtn.ci
## Summary:
Hello.
I your domain https://www.mtn.ci was vulnerable to CVE-2021-38314
##Description:
The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`.
##Referrence
HackerOne
CVE-2021-38314 @ https://www.mtn.co.rw
hackerone·2022-09-05·CVSS 5.3
CVE-2021-38314 [MEDIUM] CVE-2021-38314 @ https://www.mtn.co.rw
CVE-2021-38314 @ https://www.mtn.co.rw
## Summary:
Hello.
I your domain https://www.mtn.co.rw was vulnerable to CVE-2021-38314
##Description:
The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in redux-core/class-redux-core.php that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s AUTH_KEY concatenated with the `SECURE_AUTH_KEY`.
##Referrenc
2021-09-02
Published