750,000 WordPress Sites Vulnerable to Gutenberg Plugin

At least 750,000 WordPress sites are vulnerable to two vulnerabilities in a plugin called Gutenberg Template Library & Redux Framework. This extension allows WordPress sites to add all kinds of templates and blocks. The first vulnerability allows a restricted user to install and activate arbitrary plug-ins, as well as delete arbitrary messages and pages.

The second vulnerability would allow an unauthenticated attacker to learn a variety of information about the website, such as PHP version, plugins installed and version number, and an unsalted md5 hash of the auth_key and secure_auth_key. These keys are used to make changes to the website. According to security firm Wordfence , which discovered both vulnerabilities, an attacker could use the latter vulnerability for further attacks.

Both vulnerabilities were reported to developers on August 3, who rolled out a security update on August 11 with version number 4.2.13. The Gutenberg plugin is installed on over 1 million WordPress sites. The vulnerabilities are present in version 4.2.11 and earlier. However, 750,000 websites run version 4.1 or older and are therefore vulnerable.

About 250,000 websites are running version 4.2.x of the plug-in. However, WordPress does not show exact version numbers, making the number of vulnerable websites with an old 4.2.x version unclear. Administrators are advised to update to the latest version.

Previous Post Next Post