Brizy – Page Builder < 2.4.45 – Missing Authorization to Authenticated (Contributor+) Post Modification | CVE 2024-1937 | Plugin Vulnerabilities

Description

The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_item' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor access and above, to modify the content of arbitrary published posts, which includes the ability to insert malicious JavaScript.

Affects Plugins

Fixed in 2.4.45

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/bb5f73c3-f40b-45d5-9947-c1a514d230f7

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter

Verified

No

WPVDB ID

e0f3cf13-3312-4b25-be9f-8ad21acaea51

Timeline

Publicly Published

2024-07-15 (about 1 year ago)

Added

2024-07-15 (about 1 year ago)

Last Updated

2024-07-16 (about 1 year ago)

Other

Published

Title

Published

2023-11-22

Title

Super Progressive Web Apps < 2.2.22 - Missing Authorization

Published

2025-08-15

Title

BetterDocs < 4.1.2 - Missing Authorization to Private And Password-Protected Posts Information Disclosure

Published

2025-04-01

Title

Demo Awesome <= 1.0.3 - Missing Authorization to Authenticated (Subscriber+) Plugin Activation

Published

2024-01-31

Title

PropertyHive < 2.0.7 - Missing Authorization via activate_pro_feature

Published

2022-08-22

Title

WP Hotel Booking < 2.0.1 - Unauthenticated Arbitrary Settings Update