CVE-2021-38312: 
WordPress vulnerability analysis and mitigation

The Gutenberg Template Library & Redux Framework plugin version 4.2.11 and earlier for WordPress contained a vulnerability identified as CVE-2021-38312. The vulnerability was discovered in September 2021 and affected over 1 million WordPress websites. The issue stemmed from an incorrect authorization check in the REST API endpoints registered under the 'redux/v1/templates/' REST Route (Wordfence Blog, Threatpost).

The vulnerability arose from improper permission validation in the WordPress REST API implementation. The permissions_callback used in the file only checked for the edit_posts capability, which is granted to lower-privileged users such as contributors. The vulnerability received a CVSS v3.1 score of 7.1 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L. The issue was classified under CWE-863 (Incorrect Authorization) and CWE-280 (Improper Handling of Insufficient Permissions or Privileges) (NVD, WPScan).

The vulnerability allowed users with lower privileges, such as contributors, to perform unauthorized actions including installing arbitrary plugins from the WordPress repository and deleting arbitrary posts or pages. This could potentially lead to site compromise through malicious plugin installation or content manipulation (Wordfence Blog).

The vulnerability was patched in version 4.2.13 of the Gutenberg Template Library & Redux Framework plugin. Site administrators were advised to update their installations immediately to the patched version to prevent potential exploitation (WPScan).