There is a generally popular page builder plugin that has been reported as having multiple WordPress vulnerabilities. Although not under active attack, these vulnerabilities still put 90,000 sites at risk of being hacked, or worse.
Wordfence discovered two new vulnerabilities as well as an access control vulnerability that was previously patched.
This plugin is known as the Brizy Page Builder plugin.
The biggest concern Wordfence reported regarding these vulnerabilities is that they could be used in combination with each other to facilitate a full site takeover.
The other concern is that a combination like this could allow any published posts to be modified by any logged-in user, and any such user could add malicious JavaScript to the post. There is also another flaw that allows any logged-in user to achieve remote code execution by uploading potentially executable files.
The CVSS (Common Vulnerability Scoring System) score of these vulnerabilities are the following:
WordPress Vulnerability 1: Incorrect Authorization Checks Allowing Post Modification
This vulnerability has a CVSS score of 7.1, which is considered high.
According to Wordfence, the plugin uses Brizy_Editor::is_administrator and Brizy_Editor_User:is_administrator functions for many types of authorization checks, and a user that passes the check is literally seen as being an admin. Basically, this bypasses just about all capability checks that the plugin uses. The logic flaw within these instructions is that logged users that accessed any wp-admin directory endpoint were enough to pass the check because of the use of the is_admin() function to check authorization.
This means any post or page can be modified by any users that are logged in, including subscribers. This is true even if the post was already published. The flaw in the logic was the same one that version 1.0.126 patched and was reintroduced in version 1.0.127. Only Brizy_Editor::is_administrator existed in versions prior to 1.0.127.
Even though this vulnerability could be a nuisance just on its own, this one enabled two vulnerabilities that could be accessed in order to facilitate a full site takeover.
WordPress Vulnerability 2: Authenticated Stored Cross-Site Scripting
This vulnerability is assigned a CVSS threat level of 6.4, which is medium.
In this vulnerability, lower-privileged users can add any JS that they want to page content. And a lower-privileged user can modify requests sent to update a page via the brizy_update_item AJAX action by adding JavaScript to the data parameter.
This additional JS is executable if the post was viewed or previewed by another user like an admin.
WordPress Vulnerability 3: Authenticated File Upload and Path Traversal
This vulnerability is assigned a CVSS threat level of 8.8, which is considered high.
Because of the authorization check vulnerability, any subscriber-level users could upload executables to any location they chose with the brizy_create_block_screenshot action via AJAX.
Malicious users could provide any filename of their choice with the ID parameter. The file contents could then be populated using the ibsf parameter, using base64-decoding, and writing it to the file.
To add insult to injury, not only did the plugin append .jpg to all filenames that were uploaded, but double-extension attacks could also be done.
As an example: a file named shell.php could be saved as shell.php.jpg, which could also be executable on many different configurations. This also included Apache/modPHP with an ADdHandler or SetHandler directive that is unanchored.
Not only that, an attacker could simply prepend the filename with ../ to do a directory traversal attack. The file could then be stored in a completely arbitrary location, which could then circumvent the execution restrictions that were added by .htaccess.
According to Wordfence:
“By supplying a file with a .php extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover.”
Update Your Brizy Page Builder WordPress Plugin!
Although all Wordfence users, including both free and premium versions, have been protected since 2020, we still strongly recommend updating to the latest version of Brizy, which is 2.3.17.
This should be done especially if you don’t use Wordfence’s security plugin.