Brizy WordPress Plugin Exploit Chains Allow Full Site Takeovers – Threatpost

Brizy WordPress Plugin Exploit Chains Allow Full Site Takeovers – Threatpost

Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
A stored XSS and arbitrary file-upload bug can be paired with an authorization bypass to wreak havoc.
Vulnerabilities in the Brizy Page Builder plugin for WordPress sites could be chained together to allow attackers to completely take over a website, according to researchers.
Brizy (or Brizy – Page Builder) has been installed on more than 90,000 sites. It’s billed as an intuitive website builder for those without technical skills. It comes with a collection of more than 500 pre-designed blocks, maps and video integration and drag-and-drop design functionality. According to researchers, it also came with a stored cross-site scripting (XSS) issue and an arbitrary file-upload vulnerability prior to version 2.3.17.
These two bugs, when combined with another flaw that allows authorization bypass and privilege escalation, can become dangerous, Wordfence researchers cautioned.
“During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack,” researchers at Wordfence explained in a Wednesday posting. “This led us to discover two new vulnerabilities as well as a previously patched access-control vulnerability in the plugin that had been reintroduced.”
Infosec Insiders Newsletter
The two fresh bugs can both be chained with the re-introduced access control vulnerability to allow complete site takeover, researchers explained. In a combo with the stored XSS bug, any logged-in user would be able to modify any published post and inject malicious JavaScript to it. A pairing with the other bug could meanwhile allow any logged-in user to upload potentially executable files and achieve remote code execution.
The older access-control bug (now tracked as CVE-2021-38345) was patched in June 2020, but reintroduced in version 1.0.127 this year. It’s a high-severity issue that stems from a lack of proper authorization checks, according to Wordfence, allowing attackers to modify posts.
Researchers noted that the plugin uses a pair of administrator functions for a wide variety of authorization checks, and “any user that passed one of these checks was assumed to be an administrator.” They added, “being logged in and accessing any endpoint in the wp-admin directory was sufficient to pass this check.”
The upshot of this is that all logged-in users, such as subscribers to a newsletter, were allowed to modify any post or page that had been created or edited with the Brizy editor, even if it had already been published.
“While this vulnerability might only be a nuisance on its own, allowing attackers to replace the original contents of pages, it enabled two additional vulnerabilities that could each be used to take over a site,” according to Wordfence’s analysis.
The first follow-on bug is a medium-severity stored XSS issue (CVE-2021-38344), which allows attackers to inject malicious scripts into web pages. Because it’s a stored XSS bug, rather than a reflected one, victims need only visit the infected page in order to be attacked.
On its own, the bug allows a lower-privileged user (such as a contributor or subscriber) to add JavaScript to an update request, which would then be executed if the post were viewed or previewed by another user, such as an administrator. It becomes dangerous however when combined with the authorization bypass, researchers said.
“Thanks to the authorization check vulnerability, even the lowest-privileged users, such as subscribers, could add malicious JavaScript to any page, allowing them to take over a site,” the researchers noted. “JavaScript running in an administrator’s session could allow an attacker to perform actions such as adding a new administrative user, escalating the privileges of an existing user, or adding backdoor functionality to existing plugin or theme files.”
The second new bug is a high-severity arbitrary file-upload issue (CVE-2021-38346) that could allow authenticated users to upload files to a site. But again thanks to the authorization check vulnerability, it becomes possible for subscriber-level users to elevate their privileges, then upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action, according to Wordfence researchers.
Other kinds of attacks are also possible, they according to the analysis.
“While the plugin appended .JPG to all uploaded filenames, a double extension attack was also possible,” they explained. “For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location, which could potentially be used to circumvent execution restrictions added via .htaccess.”
Thus, “by supplying a file with a .PHP extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover,” they added.
Users can protect themselves by updating to the latest version of the plugin, version 2.3.17.
XSS vulnerabilities in WordPress plugins have been far from scarce so far in 2021. For instance, in August an authenticated stored XSS vulnerability was found in the SEOPress WordPress plugin, which is installed on 100,000 websites.
In July, a critical XSS bug was found to impact WordPress sites running the Frontend File Manager plugin. It allows remote unauthenticated users to inject JavaScript code into vulnerable websites to create admin user accounts, and was just one of six critical flaws disclosed in that advisory.
In February, a stored XSS security bug was found to potentially affect 50,000 Contact Form 7 Style plugin users. The developers didn’t issue a patch, and WordPress removed the plugin from the WordPress plugin repository on Feb. 1.
And in January, researchers warned of yet another authenticated XSS vulnerability in a WordPress plugin called Orbit Fox that has 40,000 installs, that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Share this article:
CISA is urging vendors to patch, given the release of public exploit code & a proof of concept tool for bugs that open billions of devices – phones, PCs, toys, etc. – to DoS & code execution.
Malicious Phantom, MetaMask cryptowallets are on the prowl to drain victim funds. 
A savvy campaign impersonating the cybersecurity company skated past Microsoft email security.

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
Bring out the hounds! Info leading to #DarkSide leaders gets you up to $10M, and there’s another $5M for info leadi…
4 hours ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.


How do I find SEO services
Dominate search engine result pages, crush your competition, get more sales, and be the #1 provider in your service area. Work with Top SEO Agency in Dublin that also provides quality Digital Marketing Optimisation services. 
Our Search Sngine Optimisation Consultants will improve your site performance in all major search engines by implementing the Best SEO Solutions, Strategies and Techniques. Let us help you increase organic traffic, get more leads, more customers, and grow your revenue with a customised affordable SEO package.
Fully Managed WordPress Hosting


Get in touch

Globe Boss

Hampton Square
Dublin - Ireland
Tel: (+353)1 868 2345