WordPress Plugin Vulnerabilities

Brizy - Page Builder < 1.0.114 - Unauthenticated Site Settings Update

Description

Edit (WPscanTeam)

The plugin fails to restrict access to the site settings page, allowing unauthenticated users to change them, such as site title, description as well as put XSS payload in the footer, leading to Unauthenticated Stored XSS issues.

As we saw probes in the wild checking for the issue, we choose to disclose it (see below for details).

February 10th, 2020 - Report received & WP Plugins Team notified.
February 12th, 2020 - WP Plugin Team Investigating
February 12th, 2020 - v1.0.114 released in SVN, fixing the issue. However, the plugin is still closed
March 3rd, 2020 - Seeing probes checking for the issue
March 4th, 2020 - Contacted WP Plugin to have an ETA about re-opening the plugin
March 5th, 2020 - Plugin can not be re-opened yet as there are other issues (including legal ones), as well as incomplete fixes
March 5th, 2020 - Issue disclosed, we recommend to remove the plugin until a new version is available and downloadable
March 6th, 2020 - Plugin re-opened

Proof of Concept

Affects Plugins

Plugin icon
brizy
Fixed in 1.0.114

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269

Miscellaneous

Original Researcher
Riki Aji
Submitter
systemR
Verified
Yes
WPVDB ID
4a8d4fdf-9d42-44a9-adc6-e8ca1964bcd5

Timeline

Publicly Published
2020-03-05 (about 6 years ago)
Added
2020-03-05 (about 6 years ago)
Last Updated
2020-03-06 (about 6 years ago)

Other

Published
Title
Published
2024-02-19
Title
Formidable Registration < 2.12 - Contributor+ Arbitrary User Password Reset To Account Takeover
Published
2025-06-09
Title
MapSVG < 8.6.13 - Contributor+ Privilege Esclation
Published
2025-11-26
Title
FindAll Listing < 1.1 - Unauthenticated Privilege Escalation
Published
2025-08-25
Title
Dokan Pro < 4.0.6 - Authenticated (Vendor+) Privilege Escalation
Published
2020-01-13
Title
Ultimate Member < 2.1.3 - Insecure Direct Object Reference (IDOR)