CVE-2021-38312

Name of the Vulnerable Software and Affected Versions: The Gutenberg Template Library & Redux Framework plugin versions prior to 4.2.12

Description: The issue concerns an incorrect authorization check in the REST API endpoints registered under the “redux/v1/templates/” REST Route. Specifically, the permissions callback in the “redux-templates/classes/class-api.php” file only checks for the edit posts capability, which is granted to lower-privileged users such as contributors. This allows such users to install arbitrary plugins from the WordPress repository and edit arbitrary posts.

Recommendations: For versions prior to 4.2.12, update to version 4.2.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API endpoints registered under the “redux/v1/templates/” REST Route to prevent lower-privileged users from installing arbitrary plugins or editing posts.