WordPress Plugin Vulnerabilities

Brizy – Page Builder < 2.4.41 - Authenticated (Contributor+) Directory Traversal

Description

The Brizy – Page Builder plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.39 via the 'id'. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files to arbitrary locations on the server

Affects Plugins

Plugin icon
brizy
Fixed in 2.4.41

References

CVE
CVE-2024-1165
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7673b2ba-5d7a-4ae9-92e7-1a910687fdb8

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
e5ef82c4-3a15-4bd6-8fee-c519b5de8fcd

Timeline

Publicly Published
2024-02-23 (about 2 years ago)
Added
2024-02-23 (about 2 years ago)
Last Updated
2024-02-23 (about 2 years ago)

Other

Published
Title
Published
2025-09-26
Title
Workreap < 3.3.6 - Authenticated (Subscriber+) Arbitrary File Deletion
Published
2026-01-16
Title
Feeds for YouTube Pro < 2.6.1 - Unauthenticated Arbitrary File Read via Path Traversal
Published
2015-07-05
Title
WP e-Commerce Shop Styling <= 2.5 - Local File Inclusion
Published
2024-12-17
Title
WPLMS < 1.9.9.5.2 - Authenticated (Contributor+) Arbitrary Directory Deletion
Published
2025-06-13
Title
Restrict File Access <= 1.1.2 - Authenticated (Subscriber+) Arbitrary File Read