Brizy WordPress Plugin Exploit Chains Allow Full Site Takeovers

2021-10-13 16:05

Vulnerabilities in the Brizy Page Builder plugin for WordPress sites could be chained together to allow attackers to completely take over a website, according to researchers.

The two fresh bugs can both be chained with the re-introduced access control vulnerability to allow complete site takeover, researchers explained.

"JavaScript running in an administrator's session could allow an attacker to perform actions such as adding a new administrative user, escalating the privileges of an existing user, or adding backdoor functionality to existing plugin or theme files."

The second new bug is a high-severity arbitrary file-upload issue that could allow authenticated users to upload files to a site.

The developers didn't issue a patch, and WordPress removed the plugin from the WordPress plugin repository on Feb. 1.

In January, researchers warned of yet another authenticated XSS vulnerability in a WordPress plugin called Orbit Fox that has 40,000 installs, that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.

News URL

https://threatpost.com/brizy-wordpress-plugin-exploit-site-takeovers/175463/

#exploit #takeover #wordpress

Related vendor

VENDOR	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Wordpress	7	2	93	44	18	157
Brizy	3	0	20	4	0	24
Plugin	2	0	13	1	0	14

News URL

Related news

Related vendor