Skip to main content

Brizy CVE-2026-32408

| EUVDEUVD-2026-11925 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11925
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 4.3

DescriptionCVE.org

Missing Authorization vulnerability in themefusecom Brizy brizy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Brizy: from n/a through <= 2.7.23.

AnalysisAI

Brizy through version 2.7.23 contains a missing authorization flaw that allows authenticated users to access resources or perform actions beyond their assigned permissions due to improperly configured access controls. An attacker with valid credentials can exploit this vulnerability to view sensitive information from other users or accounts. No patch is currently available for this issue.

Technical ContextAI

This vulnerability is classified under CWE-862 (Missing Authorization), which represents a failure to properly enforce permission checks at the application logic layer. Brizy is a visual page builder plugin/platform that manages user roles and access control for website content and design elements. The root cause stems from inadequately validated access control decisions when processing user requests—the application likely fails to verify whether an authenticated user has the requisite permissions before returning resource data or allowing modifications. This is distinct from authentication failures; the user is already authenticated (PR:L indicates login is required), but the authorization layer does not properly validate role-based or permission-based access rules. The affected CPE would be cpe:2.3:a:themefusecom:brizy:* for versions through 2.7.23, indicating a systematic authorization bypass across the Brizy application.

RemediationAI

Upgrade Brizy to version 2.7.24 or later as soon as feasible to obtain the authorization control fix (consult the official Brizy release notes at brizy.io or the WordPress plugin repository for exact patch availability and timing). If immediate patching is not possible, implement compensating controls: restrict Brizy access via network IP allowlisting to trusted administrator ranges, enforce strong authentication policies (require multi-factor authentication for all Brizy user accounts), audit and minimize the number of user accounts with Brizy access, and implement application-level logging and monitoring to detect suspicious cross-user data access patterns. For WordPress deployments, consider temporarily disabling Brizy if it is not actively in use, and ensure all other plugins and WordPress core are updated to their latest versions to prevent account compromise vectors that could amplify this authorization bypass.

More in Brizy

View all
CVE-2020-36714 HIGH POC
7.4 Oct 20

The Brizy plugin for WordPress is vulnerable to authorization bypass due to a incorrect capability check on the is_admin

CVE-2024-1311 HIGH
8.8 Mar 13

The Brizy - Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validatio

CVE-2024-10960 CRITICAL
9.9 Feb 12

The Brizy - Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validatio

CVE-2024-3242 HIGH
8.8 Jul 18

The Brizy - Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension vali

CVE-2022-2041 MEDIUM POC
5.4 Jun 27

The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element content, which could allow users with

CVE-2022-2040 MEDIUM POC
5.4 Jun 27

The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a ro

CVE-2024-2087 HIGH
7.2 Jun 05

The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form name values in a

CVE-2024-3667 HIGH
7.4 Jun 05

The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Link To' field of mu

CVE-2024-1937 HIGH
7.1 Jul 16

The Brizy - Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capabi

CVE-2024-1940 HIGH
7.1 Jun 05

The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post content in all versi

CVE-2023-51396 MEDIUM
6.5 Dec 29

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brizy.Io Brizy - P

CVE-2024-1293 MEDIUM
6.4 Mar 13

The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the embedded media custom

Share

CVE-2026-32408 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy