Brizy WordPress Plugin Exploit Chains Allow Full Site Takeovers

Vulnerabilities in the Brizy Page Builder plugin for WordPress sites could be chained jointly to make it possible for attackers to absolutely just take about a web page, according to researchers.

Brizy (or Brizy – Web page Builder) has been set up on more than 90,000 web-sites. It’s billed as an intuitive site builder for individuals devoid of complex competencies. It arrives with a collection of far more than 500 pre-made blocks, maps and movie integration and drag-and-fall design and style performance. In accordance to scientists, it also came with a saved cross-website scripting (XSS) issue and an arbitrary file-add vulnerability prior to model 2.3.17.

These two bugs, when blended with another flaw that lets authorization bypass and privilege escalation, can come to be risky, Wordfence scientists cautioned.

“During a routine evaluate of our firewall regulations, we uncovered targeted traffic indicating that a vulnerability could be current in the Brizy – Site Builder plugin, though it did not appear to be less than energetic attack,” scientists at Wordfence described in a Wednesday publishing. “This led us to learn two new vulnerabilities as perfectly as a earlier patched access-handle vulnerability in the plugin that experienced been reintroduced.”

The two fresh bugs can both equally be chained with the re-introduced entry manage vulnerability to allow for full site takeover, researchers spelled out. In a combo with the stored XSS bug, any logged-in consumer would be ready to modify any revealed article and inject malicious JavaScript to it. A pairing with the other bug could in the meantime let any logged-in user to upload likely executable files and achieve remote code execution.

Basis for Attack: A Re-Introduced Entry Handle Bug

The more mature obtain-handle bug (now tracked as CVE-2021-38345) was patched in June 2020, but reintroduced in version 1..127 this yr. It is a large-severity issue that stems from a absence of right authorization checks, in accordance to Wordfence, permitting attackers to modify posts.

Scientists pointed out that the plugin takes advantage of a pair of administrator functions for a extensive assortment of authorization checks, and “any person that passed a person of these checks was assumed to be an administrator.” They extra, “being logged in and accessing any endpoint in the wp-admin directory was sufficient to move this look at.”

The upshot of this is that all logged-in end users, these as subscribers to a newsletter, have been permitted to modify any publish or webpage that experienced been designed or edited with the Brizy editor, even if it had currently been revealed.

“While this vulnerability may only be a nuisance on its very own, permitting attackers to switch the initial contents of internet pages, it enabled two more vulnerabilities that could each be utilised to acquire about a internet site,” according to Wordfence’s assessment.

Authenticated Saved Cross-Web page Scripting

The to start with stick to-on bug is a medium-severity stored XSS issue (CVE-2021-38344), which makes it possible for attackers to inject destructive scripts into web web pages. Mainly because it’s a stored XSS bug, alternatively than a reflected a single, victims need to have only pay a visit to the infected site in get to be attacked.

On its personal, the bug allows a lessen-privileged consumer (such as a contributor or subscriber) to add JavaScript to an update request, which would then be executed if the publish had been viewed or previewed by another person, such as an administrator. It gets to be perilous however when blended with the authorization bypass, scientists mentioned.

“Thanks to the authorization verify vulnerability, even the lowest-privileged buyers, these kinds of as subscribers, could incorporate malicious JavaScript to any web site, making it possible for them to acquire over a web-site,” the researchers observed. “JavaScript operating in an administrator’s session could make it possible for an attacker to perform steps this sort of as introducing a new administrative person, escalating the privileges of an existing user, or including backdoor operation to present plugin or theme files.”

Authenticated File Add and Route Traversal

The 2nd new bug is a higher-severity arbitrary file-add issue (CVE-2021-38346) that could let authenticated consumers to add data files to a internet site. But again many thanks to the authorization check out vulnerability, it becomes achievable for subscriber-level buyers to elevate their privileges, then add executable documents to a area of their decision working with the brizy_build_block_screenshot AJAX motion, according to Wordfence researchers.

Other kinds of attacks are also doable, they according to the assessment.

“While the plugin appended .JPG to all uploaded filenames, a double extension attack was also doable,” they described. “For occasion, a file named shell.php would be saved as shell.php.jpg, and would be executable on a quantity of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to conduct a directory traversal attack and put their file in an arbitrary place, which could likely be utilized to circumvent execution limits extra through .htaccess.”

Hence, “by giving a file with a .PHP extension in the id parameter, and foundation64-encoded PHP code in the ibsf parameter, an attacker could successfully add an executable PHP file and get hold of comprehensive distant code execution on a web site, letting website takeover,” they added.

Consumers can safeguard by themselves by updating to the latest variation of the plugin, variation 2.3.17.

XSS Plugin Plague

XSS vulnerabilities in WordPress plugins have been considerably from scarce so much in 2021. For occasion, in August an authenticated stored XSS vulnerability was uncovered in the SEOPress WordPress plugin, which is mounted on 100,000 internet websites.

In July, a critical XSS bug was found to effect WordPress web-sites running the Frontend File Manager plugin. It enables distant unauthenticated customers to inject JavaScript code into vulnerable websites to create admin person accounts, and was just a single of six critical flaws disclosed in that advisory.

In February, a saved XSS security bug was discovered to potentially affect 50,000 Call Type 7 Fashion plugin people. The developers didn’t issue a patch, and WordPress taken off the plugin from the WordPress plugin repository on Feb. 1.

And in January, researchers warned of but a further authenticated XSS vulnerability in a WordPress plugin referred to as Orbit Fox that has 40,000 installs, that could let attackers to inject destructive code into vulnerable websites and/or acquire management of a internet site.

Verify out our free upcoming reside and on-demand on the internet city halls – special, dynamic discussions with cybersecurity specialists and the Threatpost neighborhood.