Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Brizy Subscribe
Filtered by product Brizy-page Builder
Total 5 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-38345 1 Brizy 1 Brizy-page Builder 2022-10-27 4.0 MEDIUM 6.5 MEDIUM
The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was found by another researcher in Brizy <= 1.0.125 and fixed in version 1.0.126, but the vulnerability was reintroduced in version 1.0.127.
CVE-2022-2041 1 Brizy 1 Brizy-page Builder 2022-07-06 3.5 LOW 5.4 MEDIUM
The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
CVE-2022-2040 1 Brizy 1 Brizy-page Builder 2022-07-06 3.5 LOW 5.4 MEDIUM
The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
CVE-2021-38346 1 Brizy 1 Brizy-page Builder 2022-07-05 6.5 MEDIUM 8.8 HIGH
The Brizy Page Builder plugin <= 2.3.11 for WordPress allowed authenticated users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action. The file would be named using the id parameter, which could be prepended with "../" to perform directory traversal, and the file contents were populated via the ibsf parameter, which would be base64-decoded and written to the file. While the plugin added a .jpg extension to all uploaded filenames, a double extension attack was still possible, e.g. a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations.
CVE-2021-38344 1 Brizy 1 Brizy-page Builder 2022-07-05 3.5 LOW 5.4 MEDIUM
The Brizy Page Builder plugin <= 2.3.11 for WordPress was vulnerable to stored XSS by lower-privileged users such as a subscribers. It was possible to add malicious JavaScript to a page by modifying the request sent to update the page via the brizy_update_item AJAX action and adding JavaScript to the data parameter, which would be executed in the session of any visitor viewing or previewing the post or page.