CVE-2025-4370
📋 TL;DR
The Brizy Page Builder WordPress plugin has an unauthenticated file upload vulnerability that allows attackers to upload .TXT files to the server. This affects all WordPress sites using Brizy Page Builder versions up to 2.6.20. The vulnerability exists due to missing authorization checks and insufficient path validation.
💻 Affected Systems
- Brizy - Page Builder WordPress Plugin
📦 What is this software?
Brizy by Brizy
⚠️ Risk & Real-World Impact
Worst Case
Attackers could upload malicious .TXT files containing scripts or configuration that leads to remote code execution, complete site takeover, or data exfiltration.
Likely Case
Attackers upload .TXT files containing malicious scripts disguised as text files, potentially leading to cross-site scripting, phishing pages, or backdoor installation.
If Mitigated
Limited to .TXT file uploads only, with proper file validation preventing execution and web server configuration blocking direct access.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill. Attackers can directly call vulnerable functions via HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.21 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3200000/brizy/trunk
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Brizy Page Builder and click 'Update Now'. 4. Verify version is 2.6.21 or higher.
🔧 Temporary Workarounds
Disable Brizy Plugin
allTemporarily deactivate the Brizy Page Builder plugin until patched
wp plugin deactivate brizy
Block Vulnerable Endpoints
linuxUse web application firewall or .htaccess to block access to vulnerable plugin endpoints
# Add to .htaccess:
RewriteCond %{REQUEST_URI} ^.*/wp-content/plugins/brizy/.*
RewriteRule ^.*$ - [F,L]
🧯 If You Can't Patch
- Implement strict file upload validation at web server level to block .TXT file uploads
- Deploy web application firewall with rules to detect and block unauthenticated file upload attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Brizy Page Builder version. If version is 2.6.20 or lower, system is vulnerable.Check Version:
wp plugin get brizy --field=versionVerify Fix Applied:
Verify Brizy plugin version is 2.6.21 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-content/plugins/brizy/editor/asset/media-processor.php
- File upload attempts with .TXT extension to Brizy plugin directories
- Unauthenticated requests to Brizy plugin endpoints
Network Indicators:
- Unusual .TXT file uploads to WordPress sites
- Traffic to Brizy plugin endpoints from unauthenticated sources
SIEM Query:
source="web_server" AND (uri="*brizy*media-processor*" OR uri="*brizy*static-file*" OR file_extension="txt") AND http_method="POST"🔗 References
- https://plugins.trac.wordpress.org/browser/brizy/tags/2.6.17/editor/asset/media-processor.php#L27
- https://plugins.trac.wordpress.org/browser/brizy/tags/2.6.17/editor/asset/static-file-trait.php#L44
- https://www.wordfence.com/threat-intel/vulnerabilities/id/db18f6b4-600d-4c63-a9f2-4e3b8ab4fba3?source=cve
