CVE-2024-1311
📋 TL;DR
The Brizy Page Builder WordPress plugin allows authenticated attackers with contributor-level access or higher to upload arbitrary files due to missing file type validation. This vulnerability can lead to remote code execution on affected WordPress sites. All WordPress sites using Brizy Page Builder versions up to 2.4.40 are vulnerable.
💻 Affected Systems
- Brizy - Page Builder WordPress Plugin
📦 What is this software?
Brizy by Brizy
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, allowing attackers to install backdoors, steal data, deface websites, or pivot to other systems.
Likely Case
Website defacement, malware injection, credential theft, or creation of persistent backdoors for future attacks.
If Mitigated
Limited impact if proper file upload restrictions and web application firewalls are in place, though risk remains elevated.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Multiple public references demonstrate the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.41
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3034945/brizy/tags/2.4.41/editor/zip/archiver.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Brizy Page Builder. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.4.41+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Restrict Contributor File Uploads
allTemporarily disable file upload capabilities for contributor-level users using WordPress role management plugins.
Web Application Firewall Rule
allBlock requests to the vulnerable storeImages function endpoint.
Block POST requests to /wp-admin/admin-ajax.php with action parameter containing 'storeImages'
🧯 If You Can't Patch
- Temporarily deactivate the Brizy Page Builder plugin until patching is possible
- Implement strict file upload restrictions at the web server level (e.g., .htaccess rules blocking PHP file execution in upload directories)
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Brizy Page Builder version. If version is 2.4.40 or lower, you are vulnerable.Check Version:
wp plugin list --name=brizy --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify Brizy Page Builder version shows 2.4.41 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to Brizy-related endpoints
- POST requests to /wp-admin/admin-ajax.php with 'storeImages' action
- Uploads of non-image file types to media directories
Network Indicators:
- HTTP POST requests containing malicious file uploads to Brizy endpoints
- Unusual outbound connections from web server after file uploads
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data CONTAINS "storeImages") AND (post_data CONTAINS ".php" OR post_data CONTAINS ".exe" OR post_data CONTAINS ".sh")🔗 References
- https://plugins.trac.wordpress.org/browser/brizy/trunk/editor/zip/archiver.php#L254
- https://plugins.trac.wordpress.org/changeset/3034945/brizy/tags/2.4.41/editor/zip/archiver.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/dc023c1b-7ec6-45b6-b50a-f0d823065843?source=cve
- https://plugins.trac.wordpress.org/browser/brizy/trunk/editor/zip/archiver.php#L254
- https://plugins.trac.wordpress.org/changeset/3034945/brizy/tags/2.4.41/editor/zip/archiver.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/dc023c1b-7ec6-45b6-b50a-f0d823065843?source=cve
