Security News > 2021 > October > Brizy WordPress Plugin Exploit Chains Allow Full Site Takeovers

Vulnerabilities in the Brizy Page Builder plugin for WordPress sites could be chained together to allow attackers to completely take over a website, according to researchers.
The two fresh bugs can both be chained with the re-introduced access control vulnerability to allow complete site takeover, researchers explained.
"JavaScript running in an administrator's session could allow an attacker to perform actions such as adding a new administrative user, escalating the privileges of an existing user, or adding backdoor functionality to existing plugin or theme files."
The second new bug is a high-severity arbitrary file-upload issue that could allow authenticated users to upload files to a site.
The developers didn't issue a patch, and WordPress removed the plugin from the WordPress plugin repository on Feb. 1.
In January, researchers warned of yet another authenticated XSS vulnerability in a WordPress plugin called Orbit Fox that has 40,000 installs, that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
News URL
https://threatpost.com/brizy-wordpress-plugin-exploit-site-takeovers/175463/
Related news
- Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images (source)
- Hackers exploit WordPress plugin auth bypass hours after disclosure (source)
- OttoKit WordPress Plugin with 100K+ Installs Hit by Exploits Targeting Multiple Flaws (source)
- Hackers exploit OttoKit WordPress plugin flaw to add admin accounts (source)
- Premium WordPress 'Motors' theme vulnerable to admin takeover attacks (source)
- Flawed WordPress theme may allow admin account takeover on 22,000+ sites (CVE-2025-4322) (source)