Brizy < 2.3.12 – Authenticated File Upload and Path Traversal | CVE 2021-38346 | Plugin Vulnerabilities

Description

Using the brizy_create_block_screenshot AJAX action, it was possible to provide a filename using the id parameter, and populate the file contents via the ibsf parameter, which would be base64-decoded and written to the file. While the plugin appended .jpg to all uploaded filenames, a double extension attack was also possible.

For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location.

Affects Plugins

Fixed in 2.3.12

References

CVE

URL

https://www.wordfence.com/blog/2021/10/multiple-vulnerabilities-in-brizy-page-builder-plugin-allow-site-takeover/

Miscellaneous

Original Researcher

Ramuel Gall

Submitter

Ramuel Gall

Submitter twitter

Verified

Yes

WPVDB ID

ccbb13ff-a40a-4b68-9880-6bc0dce65a28

Timeline

Publicly Published

2021-10-13 (about 4 years ago)

Added

2021-10-13 (about 4 years ago)

Last Updated

2022-04-12 (about 4 years ago)

Other

Published

Title

Published

2024-01-30

Title

WordPress < 6.4.3 - Admin+ PHP File Upload

Published

2024-04-12

Title

InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.23 - Unauthenticated Arbitrary File Upload

Published

2023-11-20

Title

CataBlog <= 1.7.0 - Authenticated (Editor+) Arbitrary File Upload

Published

2014-08-01

Title

vithy - Arbitrary File Upload

Published

2025-09-01

Title

Clanora < 1.3.1 - Unauthenticated Arbitrary File Upload