Description

WordPress Plugin Brizy-Page Builder is prone to multiple vulnerabilities, including cross-site scripting and security bypass vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, to steal cookie-based authentication credentials, or to perform otherwise restricted actions and subsequently enable/disable the Brizy editor and modify the template used. WordPress Plugin Brizy-Page Builder version 2.4.43 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 2.4.44 or latest

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/brizy/brizy-page-builder-2443-missing-authorization

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/brizy/brizy-page-builder-2443-authenticated-contributor-stored-cross-site-scripting-via-custom-attributes

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/brizy/brizy-page-builder-2443-authenticated-contributor-store-cross-site-scripting-via-widget-link-to-url

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/brizy/brizy-page-builder-2443-unauthenticated-stored-cross-site-scripting-via-form

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/brizy/brizy-page-builder-2443-authenticatedcontributor-stored-cross-site-scripting-via-form-functionality

https://plugins.svn.wordpress.org/brizy/trunk/readme.txt

Related Vulnerabilities

WordPress Plugin Caldera Forms-More Than Contact Forms Cross-Site Scripting (1.4.1)

WordPress Plugin Processing Embed 'pluginurl' Parameter Cross-Site Scripting (0.5)

WordPress Plugin Shop Page WP Cross-Site Scripting (1.2.7)

Oracle Database Server CVE-2014-6452 Vulnerability (CVE-2014-6452)

Ruby Improper Input Validation Vulnerability (CVE-2008-3657)

Severity

High

Classification

CVE-2024-1161 CVE-2024-1164 CVE-2024-2087 CVE-2024-3667 CVE-2024-3711 CWE-79 CWE-862 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update