CVE-2021-38345

Brizy Page Builder <= 2.3.11 - Incorrect Authorization Checks Allowing Post Modification

highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

7.1

CVSS Score

7.1

CVSS Score

high

Severity

1.0.126

Patched in

1197d

Time to patch

Description

The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was found by another researcher in Brizy <= 1.0.125 and fixed in version 1.0.126, but the vulnerability was reintroduced in version 1.0.127.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

None

Confidentiality

High

Integrity

Low

Availability

Technical Details

Affected versions<=1.0.125

PublishedOctober 13, 2020

Last updatedJanuary 22, 2024

Affected pluginbrizy

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/1161f41b-1594-4b1b-8a89-44a5a5a9dca6?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database