Brizy – Page Builder < 2.4.44 – Missing Authorization | CVE 2024-3711 | Plugin Vulnerabilities

Description

The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access or above, to enable/disable the Brizy editor and modify the template used.

Affects Plugins

Fixed in 2.4.44

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7092ce4a-bad9-4426-b94e-d9d688344272

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

9f4b06a3-1090-41e5-872e-7142b6f402fc

Timeline

Publicly Published

2024-05-22 (about 1 year ago)

Added

2024-05-22 (about 1 year ago)

Last Updated

2024-05-23 (about 1 year ago)

Other

Published

Title

Published

2024-08-26

Title

LWS Affiliation < 2.3.5 - Missing Authorization

Published

2024-08-01

Title

WooCommerce PDF Vouchers < 4.9.5 - Missing Authorization

Published

2025-09-22

Title

Lazy Blocks < 4.1.1 - Missing Authorization

Published

2025-03-24

Title

Menu Duplicator <= 1.0 - Missing Authorization

Published

2022-02-24

Title

Total Upkeep < 1.14.14 - Subscriber+ Backup Disclosure