According to the official WordPress plug-in website, the Gutenberg Template Library & Redux Framework software has over a million active installations. This allows you to manage and use templates for website designs, among other things. Admins should ensure that they have version 4.2.13 installed. The developers claim to have closed the two security holes (CVE-2021-38312, “high”, CVE-2021-38314, “medium”). Due to insufficient checks in the WordPress REST API, an attacker registered as an author could install any plug-ins from the WordPress repository. If he uploads software prepared with malicious code there, this could initiate the takeover of a website after installation.
By successfully exploiting the second loophole, an attacker could access configuration information from websites that was actually sealed off. The discoverers of the vulnerabilities in Wordfence state in an article that the plug-in developers published a security patch within just under a week.