Vulnerabilities and security researches forredux-framework redux-framework

Aug 28, 2025

PSC, Research URL: PSC-2025-64592
Home page URL: Security reports for Redux Framework
Application: Redux Framework
Date: Aug 28, 2025
Research Description: The Redux Framework has long been the go-to options framework for WordPress developers. It provides an extensible, fully responsive environment for building option panels, customizer controls, and advanced UI fields for themes and plugins. By saving developers months of work, Redux accelerates innovation while maintaining a clean, standards-based architecture. With the release of version 4.5.7, Redux Framework has officially achieved the Plugin Security Certification (PSC-2025-64592) by CleanTalk, confirming its resilience against critical web application vulnerabilities. This certification ensures that developers can integrate Redux into their projects with full confidence in both functionality and security hardening.
Affected versions: Min -, max -.
Status: SAFE & CERTIFIED

Jul 23, 2024

CVE, Research URL: CVE-2024-6828
Home page URL: Security reports for Redux Framework
Application: Redux Framework
Date: Jul 23, 2024
Research Description: The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the Redux_Color_Scheme_Import function in versions 4.4.12 to 4.4.17. This makes it possible for unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and, in some rare cases, when the wp_filesystem fails to initialize - to Remote Code Execution.
Affected versions: Min -, max -.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2021-38314
Home page URL: Security reports for Redux Framework
Application: Redux Framework
Date: Sep 02, 2021
Research Description: The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2021-38312
Home page URL: Security reports for Redux Framework
Application: Redux Framework
Date: Sep 02, 2021
Research Description: The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress used an incorrect authorization check in the REST API endpoints registered under the “redux/v1/templates/” REST Route in “redux-templates/classes/class-api.php”. The `permissions_callback` used in this file only checked for the `edit_posts` capability which is granted to lower-privileged users such as contributors, allowing such users to install arbitrary plugins from the WordPress repository and edit arbitrary posts.
Affected versions: Min -, max -.
Status: vulnerable