Arbitrary File Uploads Vulnerability Affects Brizy Page Builder Plugin
CVE-2024-3242

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Brizy – Page Builder
Vendor: CVE Published:; 18 July 2024

Summary

The Brizy Page Builder plugin for WordPress is susceptible to an arbitrary file upload vulnerability caused by inadequate file extension validation in the 'validateImageContent' function. This vulnerability affects all versions from inception up to and including version 2.4.43. Authenticated attackers with contributor or higher roles could leverage this flaw to upload potentially harmful files to the server, which could lead to remote code execution. The issue is mitigated in version 2.4.44, which prevents the upload of files with .sh and .php extensions, while version 2.4.45 includes a comprehensive fix for this vulnerability.

Affected Version(s)

Brizy – Page Builder * <= 2.4.44

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/brizy/trunk/ed...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 18, 2024
Vulnerability Reserved
Apr 2, 2024

Credit

Matthew Rollings