CVE-2024-3711
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
23/05/2024
Last modified:
16/01/2025
Description
The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access or above, to enable/disable the Brizy editor and modify the template used.
Impact
Base Score 3.x
4.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:brizy:brizy:*:*:*:*:free:wordpress:*:* | 2.4.44 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/browser/brizy/trunk/admin/main.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3086506%40brizy/trunk&old=3058896%40brizy/trunk
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7092ce4a-bad9-4426-b94e-d9d688344272?source=cve
- https://plugins.trac.wordpress.org/browser/brizy/trunk/admin/main.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3086506%40brizy/trunk&old=3058896%40brizy/trunk
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7092ce4a-bad9-4426-b94e-d9d688344272?source=cve