{"id":"CVE-2021-38312","details":"The Gutenberg Template Library & Redux Framework plugin \u003c= 4.2.11 for WordPress used an incorrect authorization check in the REST API endpoints registered under the “redux/v1/templates/” REST Route in “redux-templates/classes/class-api.php”. The `permissions_callback` used in this file only checked for the `edit_posts` capability which is granted to lower-privileged users such as contributors, allowing such users to install arbitrary plugins from the WordPress repository and edit arbitrary posts.","modified":"2026-04-12T01:57:36.994216Z","published":"2021-09-02T17:15:09.713Z","references":[{"type":"EVIDENCE","url":"https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/reduxframework/redux-framework","events":[{"introduced":"0"},{"last_affected":"19be1fa302fd9744226eddeb50b618cacc208e95"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"4.2.11"}],"cpe":"cpe:2.3:a:redux:gutenberg_template_library_\\&_redux_framework:*:*:*:*:*:wordpress:*:*","source":"CPE_FIELD"}}],"versions":["3.0.0-beta","3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.0.9","3.1.0","3.1.2","3.1.3","3.1.4","3.1.6","3.1.8","3.1.9","3.2.1","3.2.2","3.2.3","3.2.4","3.2.5","3.2.6","3.2.8","3.2.9","3.2.9.13","3.3.0","3.3.1.1","3.3.3","3.3.4","3.3.6","3.3.8","3.3.9.4","3.4.0","3.4.3.6","3.5.0","3.5.1","3.5.5","3.5.5.10","3.5.7","3.5.9","3.6.0.1","3.6.15","3.6.16","3.6.17","3.6.18","3.6.5","4.1.28","4.1.29","4.2.0","4.2.1","4.2.10","4.2.11","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.2.8","4.2.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-38312.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}