According to researchers, flaws in the Brizy Page Builder plugin for WordPress sites may be linked together to allow attackers to totally take over a website.
Brizy (or Brizy - Page Builder) is used on over 90,000 websites. It's advertised as an easy-to-use website builder for individuals with no technical knowledge. It has over 500 pre-designed blocks, maps and video integration, and drag-and-drop creation capability.
Before version 2.3.17, it also had a stored cross-site scripting (XSS) vulnerability and an arbitrary file-upload vulnerability, according to researchers.
“During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack,” researchers at Wordfence explained in a Wednesday posting.
“This led us to discover two new vulnerabilities as well as a previously patched access-control vulnerability in the plugin that had been reintroduced.”
According to the researchers, the two new flaws may be chained together with the reintroduced access control weakness to enable total site takeover. Any logged-in user, in combination with the stored XSS flaw, would be able to edit any published post and inject malicious JavaScript into it. Meanwhile, a combination with the other flaw may allow any logged-in user to post potentially executable files and achieve remote code execution.
A Reintroduced Access Control Bug Serves as the Attack's Foundation
The previous access-control problem (now listed as CVE-2021-38345) was fixed in June 2020 but reappeared this year in version 1.0.127. According to Wordfence, it's a high-severity problem caused by a lack of adequate authorisation checks, allowing attackers to edit posts.
The plugin used a pair of administrator functions for a wide range of authorization checks, and any user that passed one of these tests was considered to be an administrator.
"Being logged in and visiting any endpoint in the wp-admin directory was sufficient to pass this check," as per the researchers.
As a result, all logged-in users, such as newsletter subscribers, were able to alter any post or page made or updated with the Brizy editor, even if it had already been published.
According to Wordfence’s analysis, “While this vulnerability might only be a nuisance on its own, allowing attackers to replace the original contents of pages, it enabled two additional vulnerabilities that could each be used to take over a site.”
The first follow-on bug (CVE-2021-38344) is a medium-severity stored XSS flaw that allows intruders to insert malicious scripts into web pages. Because it is a stored XSS issue rather than a reflected one, victims are only required to visit the affected page to be attacked.
The flaw allows a less-privileged user (such as a contributor or subscriber) to attach JavaScript to an update request, which is subsequently executed if the post is read or previewed by another user, such as an administrator. It becomes hazardous, however, when paired with the authorisation bypass, according to the researchers.
The second new vulnerability is a high-severity arbitrary file-upload flaw (CVE-2021-38346), which might allow authenticated users to post files to a website. According to Wordfence researchers, the authorization check vulnerability allows subscriber-level users to elevate their privileges and subsequently upload executable files to a place of their choice via the brizy_create_block_screenshot AJAX method. According to the evaluation, other types of assaults are also possible.
“While the plugin appended .JPG to all uploaded filenames, a double extension attack was also possible,” researchers explained.
“For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location, which could potentially be used to circumvent execution restrictions added via .htaccess.”
Thus, “by supplying a file with a .PHP extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover,” they added.
Users can protect themselves by switching to the most recent version of the plugin, 2.3.17.