A stored XSS and arbitrary file-upload bug can be paired with an authorization bypass to wreak havoc.
Vulnerabilities in the Brizy Web page Builder plugin for WordPress sites could be chained with each other to permit attackers to completely take around a web site, according to scientists.
Brizy (or Brizy – Web site Builder) has been set up on much more than 90,000 web-sites. It is billed as an intuitive internet site builder for those without the need of technological skills. It will come with a assortment of a lot more than 500 pre-created blocks, maps and video clip integration and drag-and-fall layout features. In accordance to scientists, it also arrived with a stored cross-site scripting (XSS) issue and an arbitrary file-add vulnerability prior to edition 2.3.17.
These two bugs, when blended with yet another flaw that will allow authorization bypass and privilege escalation, can turn into risky, Wordfence scientists cautioned.
“During a regimen assessment of our firewall rules, we observed targeted traffic indicating that a vulnerability may possibly be current in the Brizy – Page Builder plugin, nevertheless it did not show up to be less than energetic attack,” scientists at Wordfence described in a Wednesday submitting. “This led us to uncover two new vulnerabilities as nicely as a formerly patched entry-command vulnerability in the plugin that had been reintroduced.”
Foundation for Attack: A Re-Launched Entry Command Bug
The more mature obtain-handle bug (now tracked as CVE-2021-38345) was patched in June 2020, but reintroduced in variation 1..127 this yr. It’s a significant-severity issue that stems from a lack of correct authorization checks, in accordance to Wordfence, permitting attackers to modify posts.
Scientists mentioned that the plugin works by using a pair of administrator functions for a wide wide variety of authorization checks, and “any consumer that handed just one of these checks was assumed to be an administrator.” They included, “being logged in and accessing any endpoint in the wp-admin directory was ample to move this test.”
The upshot of this is that all logged-in buyers, these types of as subscribers to a newsletter, have been permitted to modify any put up or webpage that had been produced or edited with the Brizy editor, even if it had currently been revealed.
“While this vulnerability could possibly only be a nuisance on its own, enabling attackers to substitute the authentic contents of webpages, it enabled two supplemental vulnerabilities that could just about every be made use of to consider over a internet site,” according to Wordfence’s examination.
Authenticated Saved Cross-Internet site Scripting
The first adhere to-on bug is a medium-severity saved XSS issue (CVE-2021-38344), which allows attackers to inject destructive scripts into web webpages. Mainly because it is a stored XSS bug, alternatively than a mirrored one particular, victims need to have only stop by the infected site in buy to be attacked.
Authenticated File Upload and Route Traversal
The second new bug is a substantial-severity arbitrary file-add issue (CVE-2021-38346) that could make it possible for authenticated people to add files to a internet site. But again thanks to the authorization verify vulnerability, it will become achievable for subscriber-amount consumers to elevate their privileges, then add executable data files to a area of their selection making use of the brizy_produce_block_screenshot AJAX motion, according to Wordfence scientists.
Other kinds of attacks are also probable, they in accordance to the assessment.
“While the plugin appended .JPG to all uploaded filenames, a double extension attack was also possible,” they stated. “For occasion, a file named shell.php would be saved as shell.php.jpg, and would be executable on a quantity of widespread configurations, like Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to execute a directory traversal attack and area their file in an arbitrary location, which could potentially be employed to circumvent execution limits included by means of .htaccess.”
So, “by giving a file with a .PHP extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could correctly add an executable PHP file and attain complete remote code execution on a internet site, enabling web site takeover,” they additional.
End users can protect them selves by updating to the latest variation of the plugin, version 2.3.17.
XSS Plugin Plague
XSS vulnerabilities in WordPress plugins have been significantly from scarce so much in 2021. For instance, in August an authenticated stored XSS vulnerability was located in the SEOPress WordPress plugin, which is mounted on 100,000 web sites.
In February, a stored XSS security bug was observed to potentially impact 50,000 Get hold of Sort 7 Model plugin people. The builders did not issue a patch, and WordPress removed the plugin from the WordPress plugin repository on Feb. 1.
And in January, researchers warned of yet yet another authenticated XSS vulnerability in a WordPress plugin named Orbit Fox that has 40,000 installs, that could let attackers to inject destructive code into vulnerable websites and/or get handle of a site.
Examine out our free upcoming live and on-demand from customers on the net town halls – one of a kind, dynamic conversations with cybersecurity authorities and the Threatpost community.
Some components of this post are sourced from: