CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38346 – Brizy <= 2.3.11 Authenticated Unrestricted File Upload and Path Traversal
https://notcve.org/view.php?id=CVE-2021-38346
The Brizy Page Builder plugin <= 2.3.11 for WordPress allowed authenticated users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action. The file would be named using the id parameter, which could be prepended with "../" to perform directory traversal, and the file contents were populated via the ibsf parameter, which would be base64-decoded and written to the file. While the plugin added a .jpg extension to all uploaded filenames, a double extension attack was still possible, e.g. a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations. El plugin Brizy Page Builder versiones anteriores a 2.3.11 incluyéndola, para WordPress permitía a usuarios autenticados subir archivos ejecutables a una ubicación de su elección usando la acción brizy_create_block_screenshot AJAX. El archivo se nombraba por medio del parámetro id, al que se le podía añadir "../" para llevar a cabo un salto de directorio, y el contenido del archivo se rellenaba por medio del parámetro ibsf, que se decodificaba en base64 y se escribía en el archivo. • https://www.wordfence.com/blog/2021/10/multiple-vulnerabilities-in-brizy-page-builder-plugin-allow-site-takeover • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38345 – Brizy <= 1.0.125 and 1.0.127 – 2.3.11 Incorrect authorization checks allowing Post modification
https://notcve.org/view.php?id=CVE-2021-38345
The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was found by another researcher in Brizy <= 1.0.125 and fixed in version 1.0.126, but the vulnerability was reintroduced in version 1.0.127. El plugin Brizy Page Builder versiones anteriores a 2.3.11 incluyéndola, para WordPress usaba una comprobación de autorización incorrecta que permitía a cualquier usuario conectado que accediera a cualquier endpoint del directorio wp-admin modificar el contenido de cualquier entrada o página presente creada con el editor Brizy. Un problema idéntico fue encontrado por otro investigador en Brizy versiones anteriores a 1.0.125 incluyéndola, y corregido en la versión 1.0.126, pero la vulnerabilidad fue reintroducida en la versión 1.0.127 • https://www.wordfence.com/blog/2021/10/multiple-vulnerabilities-in-brizy-page-builder-plugin-allow-site-takeover • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-863: Incorrect Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36714 – Brizy < 1.0.126 - Authorization Bypass to Settings Updates
https://notcve.org/view.php?id=CVE-2020-36714
The Brizy plugin for WordPress is vulnerable to authorization bypass due to a incorrect capability check on the is_administrator() function in versions up to, and including, 1.0.125. This makes it possible for authenticated attackers to access and interact with available AJAX functions. El complemento Brizy para WordPress es vulnerable a la omisión de autorización debido a una verificación de capacidad incorrecta en la función is_administrator() en versiones hasta la 1.0.125 incluida. Esto hace posible que los atacantes autenticados accedan e interactúen con las funciones AJAX disponibles. • https://blog.nintechnet.com/wordpress-brizy-page-builder-plugin-fixed-critical-vulnerabilities https://www.wordfence.com/threat-intel/vulnerabilities/id/9495e25d-a5a6-4f25-9363-783626e58a4a?source=cve • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •