Skip to main content

Brizy CVE-2024-3711

MEDIUM
Missing Authorization (CWE-862)
2024-05-23 security@wordfence.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
May 23, 2024 - 06:15 nvd
MEDIUM 4.3

DescriptionCVE.org

The Brizy - Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access or above, to enable/disable the Brizy editor and modify the template used.

AnalysisAI

The Brizy - Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. The Brizy - Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access or above, to enable/disable the Brizy editor and modify the template used. Affected products include: Brizy.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

More in Brizy

View all
CVE-2020-36714 HIGH POC
7.4 Oct 20

The Brizy plugin for WordPress is vulnerable to authorization bypass due to a incorrect capability check on the is_admin

CVE-2024-1311 HIGH
8.8 Mar 13

The Brizy - Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validatio

CVE-2024-10960 CRITICAL
9.9 Feb 12

The Brizy - Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validatio

CVE-2024-3242 HIGH
8.8 Jul 18

The Brizy - Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension vali

CVE-2022-2041 MEDIUM POC
5.4 Jun 27

The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element content, which could allow users with

CVE-2022-2040 MEDIUM POC
5.4 Jun 27

The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a ro

CVE-2024-2087 HIGH
7.2 Jun 05

The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form name values in a

CVE-2024-3667 HIGH
7.4 Jun 05

The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Link To' field of mu

CVE-2024-1937 HIGH
7.1 Jul 16

The Brizy - Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capabi

CVE-2024-1940 HIGH
7.1 Jun 05

The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post content in all versi

CVE-2023-51396 MEDIUM
6.5 Dec 29

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brizy.Io Brizy - P

CVE-2024-1293 MEDIUM
6.4 Mar 13

The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the embedded media custom

Share

CVE-2024-3711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy