Description
The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was found by another researcher in Brizy <= 1.0.125 and fixed in version 1.0.126, but the vulnerability was reintroduced in version 1.0.127.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low
Affected products
- Brizy.io / Brizy – Page Builder2.3.11 – 2.3.11
- Brizy.io / Brizy – Page Builder1.0.127 – 1.0.127*
- Brizy.io / Brizy – Page Builder1.0.125 – 1.0.125