Brizy <= 1.0.125 and 1.0.127 – 2.3.11 Incorrect authorization checks allowing Post modification
CVE-2021-38345

7.1HIGH

Key Information:

Vendor: WordPress
Status: Brizy - Page Builder
Vendor: CVE Published:; 14 October 2021

What is CVE-2021-38345?

The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was found by another researcher in Brizy <= 1.0.125 and fixed in version 1.0.126, but the vulnerability was reintroduced in version 1.0.127.

Affected Version(s)

Brizy - Page Builder WordPress 2.3.11

Brizy - Page Builder WordPress 1.0.127 < 1.0.127*

Brizy - Page Builder WordPress 1.0.125

References

https://www.wordfence.com/blog/2021/10/multiple-vulnerabi...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2021
Vulnerability Reserved
Aug 9, 2021

Credit

Ramuel Gall, Wordfence