Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in themefusecom Brizy brizy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Brizy: from n/a through <= 2.7.23.
AnalysisAI
Brizy through version 2.7.23 contains a missing authorization flaw that allows authenticated users to access resources or perform actions beyond their assigned permissions due to improperly configured access controls. An attacker with valid credentials can exploit this vulnerability to view sensitive information from other users or accounts. No patch is currently available for this issue.
Technical ContextAI
This vulnerability is classified under CWE-862 (Missing Authorization), which represents a failure to properly enforce permission checks at the application logic layer. Brizy is a visual page builder plugin/platform that manages user roles and access control for website content and design elements. The root cause stems from inadequately validated access control decisions when processing user requests—the application likely fails to verify whether an authenticated user has the requisite permissions before returning resource data or allowing modifications. This is distinct from authentication failures; the user is already authenticated (PR:L indicates login is required), but the authorization layer does not properly validate role-based or permission-based access rules. The affected CPE would be cpe:2.3:a:themefusecom:brizy:* for versions through 2.7.23, indicating a systematic authorization bypass across the Brizy application.
RemediationAI
Upgrade Brizy to version 2.7.24 or later as soon as feasible to obtain the authorization control fix (consult the official Brizy release notes at brizy.io or the WordPress plugin repository for exact patch availability and timing). If immediate patching is not possible, implement compensating controls: restrict Brizy access via network IP allowlisting to trusted administrator ranges, enforce strong authentication policies (require multi-factor authentication for all Brizy user accounts), audit and minimize the number of user accounts with Brizy access, and implement application-level logging and monitoring to detect suspicious cross-user data access patterns. For WordPress deployments, consider temporarily disabling Brizy if it is not actively in use, and ensure all other plugins and WordPress core are updated to their latest versions to prevent account compromise vectors that could amplify this authorization bypass.
The Brizy plugin for WordPress is vulnerable to authorization bypass due to a incorrect capability check on the is_admin
The Brizy - Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validatio
The Brizy - Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validatio
The Brizy - Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension vali
The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element content, which could allow users with
The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a ro
The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form name values in a
The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Link To' field of mu
The Brizy - Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capabi
The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post content in all versi
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brizy.Io Brizy - P
The Brizy - Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the embedded media custom
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11925