Security News > 2021 > October > Brizy WordPress Plugin Exploit Chains Allow Full Site Takeovers

Brizy WordPress Plugin Exploit Chains Allow Full Site Takeovers
2021-10-13 16:05

Vulnerabilities in the Brizy Page Builder plugin for WordPress sites could be chained together to allow attackers to completely take over a website, according to researchers.

The two fresh bugs can both be chained with the re-introduced access control vulnerability to allow complete site takeover, researchers explained.

"JavaScript running in an administrator's session could allow an attacker to perform actions such as adding a new administrative user, escalating the privileges of an existing user, or adding backdoor functionality to existing plugin or theme files."

The second new bug is a high-severity arbitrary file-upload issue that could allow authenticated users to upload files to a site.

The developers didn't issue a patch, and WordPress removed the plugin from the WordPress plugin repository on Feb. 1.

In January, researchers warned of yet another authenticated XSS vulnerability in a WordPress plugin called Orbit Fox that has 40,000 installs, that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.


News URL

https://threatpost.com/brizy-wordpress-plugin-exploit-site-takeovers/175463/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Wordpress 7 2 93 44 18 157
Plugin 2 0 13 1 0 14
Brizy 3 0 11 2 0 13