CVE-2021-38314 Overview
The Gutenberg Template Library & Redux Framework plugin for WordPress versions 4.2.11 and earlier contains an information disclosure vulnerability that exposes sensitive site data to unauthenticated attackers. The vulnerability exists in the includes function within redux-core/class-redux-core.php, where several AJAX actions are registered that can be accessed without authentication.
The flaw stems from a predictable AJAX action naming scheme that uses MD5 hashes with known salt values. Attackers can compute these deterministic hash values using the target site's URL combined with the salt values -redux and -support, allowing them to invoke protected AJAX endpoints and extract sensitive information.
Critical Impact
Unauthenticated attackers can retrieve active plugin lists, plugin versions, PHP version information, and an unsalted MD5 hash of the site's AUTH_KEY concatenated with SECURE_AUTH_KEY, potentially enabling further attacks against affected WordPress installations.
Affected Products
- Redux Gutenberg Template Library & Redux Framework <= 4.2.11 for WordPress
Discovery Timeline
- 2021-09-02 - CVE CVE-2021-38314 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-38314
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-916 (Use of Password Hash With Insufficient Computational Effort). The core issue lies in the plugin's use of predictable, deterministic AJAX action names that can be computed by any attacker with knowledge of the target site's URL.
The plugin generates unique AJAX action identifiers by creating an MD5 hash of the site URL with the salt value -redux, then creates a secondary hash of that result with the salt value -support. Because these salt values are hardcoded and publicly known, any attacker can compute the exact AJAX action names for any WordPress site running the vulnerable plugin version.
Once an attacker determines these AJAX action endpoints, they can invoke them without any authentication, extracting sensitive server configuration details that could be leveraged for further exploitation.
Root Cause
The vulnerability originates from an insecure design decision in the redux-core/class-redux-core.php file. The plugin registers AJAX actions using predictable identifiers derived from MD5 hashes with static, hardcoded salt values. This approach was likely intended to create site-specific endpoints, but the deterministic nature of the hashing combined with known salts completely undermines this security mechanism.
The fundamental flaw is the assumption that obscurity through hashing provides security, when in fact the predictable inputs and known salts make the resulting action names trivially computable.
Attack Vector
The attack is executed over the network and requires no authentication or user interaction. An attacker follows these steps to exploit the vulnerability:
- Identify a WordPress site running the Redux Framework plugin
- Compute the MD5 hash of the site URL concatenated with -redux
- Compute a second MD5 hash of the first hash concatenated with -support
- Use these computed values to construct valid AJAX action names
- Send unauthenticated requests to the WordPress AJAX handler targeting these endpoints
- Extract the returned sensitive information including active plugins, versions, PHP version, and authentication key hashes
The exposed AUTH_KEY and SECURE_AUTH_KEY hash could potentially be used in offline cracking attempts or to validate authentication cookies in certain attack scenarios.
Detection Methods for CVE-2021-38314
Indicators of Compromise
- Unusual AJAX requests to wp-admin/admin-ajax.php with computed hash-based action parameters
- Multiple requests from the same IP attempting various hash-based action names
- Server logs showing successful responses to unauthenticated AJAX requests returning JSON with plugin or PHP version information
- Requests containing MD5-formatted action names (32-character hexadecimal strings)
Detection Strategies
- Monitor WordPress AJAX endpoints for requests with action parameters matching the MD5 hash pattern characteristic of this vulnerability
- Implement web application firewall rules to detect and block requests targeting the known vulnerable AJAX action patterns
- Review access logs for sequential requests attempting to enumerate site information through AJAX endpoints
- Deploy intrusion detection signatures that identify response patterns containing plugin lists or PHP version disclosures
Monitoring Recommendations
- Enable detailed logging for all admin-ajax.php requests and monitor for anomalous patterns
- Set up alerts for multiple failed or unusual AJAX requests from single IP addresses
- Monitor for requests that result in JSON responses containing sensitive system information
- Conduct regular security scans to identify WordPress plugins with known vulnerabilities
How to Mitigate CVE-2021-38314
Immediate Actions Required
- Update the Redux Framework plugin to version 4.2.12 or later immediately
- Review server access logs for evidence of exploitation attempts
- If exploitation is suspected, consider rotating WordPress authentication keys (AUTH_KEY, SECURE_AUTH_KEY) in wp-config.php
- Implement web application firewall rules to block unauthenticated AJAX requests to vulnerable endpoints
Patch Information
The vulnerability was addressed in Redux Framework version 4.2.12 and later. Site administrators should update through the WordPress plugin management interface or by downloading the latest version from the WordPress plugin repository. For additional technical details about this vulnerability and its impact on over one million WordPress sites, refer to the Wordfence security analysis.
Workarounds
- If immediate patching is not possible, consider temporarily deactivating the Redux Framework plugin until an update can be applied
- Implement server-level access controls to restrict unauthenticated requests to admin-ajax.php
- Use a web application firewall to filter requests containing hash-based action parameters
- Consider temporarily blocking external access to WordPress AJAX endpoints if the plugin functionality is not publicly required
# Regenerate WordPress authentication keys in wp-config.php
# Replace existing keys with new values from https://api.wordpress.org/secret-key/1.1/salt/
define('AUTH_KEY', 'generate-new-unique-phrase-here');
define('SECURE_AUTH_KEY', 'generate-new-unique-phrase-here');
define('LOGGED_IN_KEY', 'generate-new-unique-phrase-here');
define('NONCE_KEY', 'generate-new-unique-phrase-here');
define('AUTH_SALT', 'generate-new-unique-phrase-here');
define('SECURE_AUTH_SALT', 'generate-new-unique-phrase-here');
define('LOGGED_IN_SALT', 'generate-new-unique-phrase-here');
define('NONCE_SALT', 'generate-new-unique-phrase-here');
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
