Brizy - Page Builder < 1.0.114 - Unauthenticated Site Settings Update



Description
Edit (WPscanTeam)

The plugin fails to restrict access to the site settings page, allowing unauthenticated users to change them, such as site title, description as well as put XSS payload in the footer, leading to Unauthenticated Stored XSS issues.

As we saw probes in the wild checking for the issue, we choose to disclose it (see below for details).

February 10th, 2020 - Report received & WP Plugins Team notified.
February 12th, 2020 - WP Plugin Team Investigating
February 12th, 2020 - v1.0.114 released in SVN, fixing the issue. However, the plugin is still closed
March 3rd, 2020 - Seeing probes checking for the issue
March 4th, 2020 - Contacted WP Plugin to have an ETA about re-opening the plugin
March 5th, 2020 - Plugin can not be re-opened yet as there are other issues (including legal ones), as well as incomplete fixes
March 5th, 2020 - Issue disclosed, we recommend to remove the plugin until a new version is available and downloadable
March 6th, 2020 - Plugin re-opened
Proof of Concept
Access [domain.com]/wp-content/plugins/brizy/admin/site-settings.php

The page is direct access and you can enter the XSS code injection in the footer

Affects Plugin

fixed in version 1.0.114

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Original Researcher Riki Aji
Submitter systemR
Views 2291
Verified Yes
WPVDB ID 10112

Timeline

Publicly Published 2020-03-05 (3 months ago)
Added 2020-03-05 (3 months ago)
Last Updated 2020-03-06 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin