WordPress Plugin Vulnerabilities

Brizy < 2.6.21 - Missing Authorization to Unauthenticated Limited File Upload

Description

The Brizy – Page Builder plugin for WordPress is vulnerable to limited file uploads due to missing authorization on process_external_asset_urls function as well as missing path validation in store_file function in all versions up to, and including, 2.6.20. This makes it possible for unauthenticated attackers to upload .TXT files on the affected site's server.

Affects Plugins

Plugin icon
brizy
Fixed in 2.6.21

References

CVE
CVE-2025-4370
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/db18f6b4-600d-4c63-a9f2-4e3b8ab4fba3

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
f88f3fc7-ebe5-49ea-a920-67d3aee9fe76

Timeline

Publicly Published
2025-07-28 (about 9 months ago)
Added
2025-07-28 (about 9 months ago)
Last Updated
2025-07-29 (about 9 months ago)

Other

Published
Title
Published
2024-05-20
Title
Fastly < 1.2.26 - Missing Authorization
Published
2026-01-21
Title
iNET Webkit <= 1.2.4 - Missing Authorization
Published
2026-01-18
Title
Smart Product Viewer <= 1.5.4 - Missing Authorization
Published
2025-12-23
Title
e-xact-hosted-payment <= 2.0 - Unauthenticated Arbitrary File Deletion
Published
2024-01-05
Title
Quiz Maker < 6.5.1.2 - Missing Authorization