5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
The plugin uses an outdated version of the Redux Framework, which is know to be affected by security issues (CVE-2021-38312 and CVE-2021-38314), and could allow unauthenticated attackers to change some of the Framework settings by using CVE-2021-38314
The first endpoint we can identify is gathered from the website's URL (e.g., https://www.wordpress.com/) md5 hashed with the "-redux" suffix.
For example, for the above URL, the first endpoint will be: https://www.wordpress.com/wp-admin/admin-ajax.php?action=16a8ca2d7a9690742c2048ec7b7f0f56
Once you make a simple HTTP GET request to the first action, it will return the first part of the 2nd hash that we need for triggering the "support_args" method.
Take the hash returned from the first endpoint and md5 hash it with the "-support" suffix. This md5 hash endpoint can now be used to modify some of the plugin's settings (enable/disable logging).
For example: POST /wp-admin/admin-ajax.php?action=30cf1a163dd8a8787885585aee1e1973&redux_framework_disable_tracking=tru
Note that other parameters that can be passed in the URL are also pre-known to malicious actors, e.g., hash, i, and code.
Impact: An unauthenticated malicious actor can change the plugin's settings and possibly even make it print other sensitive information about the plugin.
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N