My TechDecisions

Network Security

Vulnerabilities Found In Popular WordPress Plugin

Brizy Page Builder plugin has known vulnerabilities, which could lead to the potential compromise of thousands of WordPress websites.

Leave a Comment

Fortinet Vulnerability, Fortigate
stock.adobe.com

Brizy Page Builder, a popular WordPress plugin known as one of the best website builders for non-techies has known vulnerabilities, which could lead to the potential compromise of thousands of WordPress websites.

Researchers at Security firm Wordfence stumbled upon the Brizy Page Builder vulnerabilities during a routine review of its firewall rules. The company discovered the vulnerability as well as two previously patched access control vulnerabilities in the plugin that had been reintroduced.

The first vulnerability could allow complete site takeover, allowing any logged-in user to modify any published post and add malicious JavaScript to it.

Related: Is the Great Resignation Increasing Cloud App Security Risks?

“While the Brizy – Page Builder plugin does not offer a direct way for lower-privileged users such as contributors to add JavaScript to page content, it was possible for a lower-privileged user to modify a request sent to update a page via the brizy_update_item AJAX action by adding JavaScript to the data parameter. The added JavaScript would then be executed if the post was viewed or previewed by another user, such as an administrator,” said Wordfence in a blog post.

The other flaw could allow any logged-in user to upload potentially executable files and achieve remote code execution.

The Page Builder plugin did not appear to be under attack, according to Wordfence.

The high severity issue stems from a lack of proper authorization checks with the plugin. “Unfortunately, due to a logic flaw, being logged in and accessing any endpoint in the wp-admin directory was sufficient to pass this check due to the use of the is_admin() function for authorization checking,” said Wordfence in a blog post.

An older access-control bug (CVE-2021-3835) was patched in June but reintroduced in version 1.0.17 this year.

It is recommended to update to the latest version of Brizy Page Builder (2.3.17) as soon as possible.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ