The Redux Framework plugin is a powerful and extensible options framework for WordPress that allows developers to create custom themes and plugins with an intuitive user interface for settings and configurations.
On July 22th, 2024, a high security vulnerability was discovered in the Redux Framework plugin for WordPress, marked as CVE-2024-6828. The plugins have more than 10 lakh active installations. This flaw, rated with a CVSS3.x score of 7.2 out of 10.0, is identified as an JSON File Upload to Stored Cross-Site Scripting vulnerability impacting Redux Framework plugin versions 4.4.12 through 4.4.17.
Qualys Web Application Scanning released a QID 152042 to address CVE-2024-6828.
About CVE-2024-6828
| Severity | 4 |
| CVSS 3.x Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
| CVSS 3.x Score | 7.2 |
| Affected Versions | 4.4.12 through 4.4.17 |
The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the Redux_Color_Scheme_Import function in versions 4.4.12 to 4.4.17. This makes it possible for unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and, in some rare cases, when the wp_filesystem fails to initialize to Remote Code Execution.
Impact
Successful exploitation of this vulnerability could allow unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and in some rare cases, when the wp_filesystem fails to initialize to Remote Code Execution.
Mitigation
Customers are advised to upgrade to Redux Framework plugin 4.4.18 or later version to remediate this vulnerability.
