A stored XSS and arbitrary file-upload bug can be paired with an authorization bypass to wreak havoc.
Vulnerabilities in the Brizy Page Builder plugin for WordPress sites could be chained together to allow attackers to completely take over a website, according to researchers.
Brizy (or Brizy – Page Builder) has been installed on more than 90,000 sites. It’s billed as an intuitive website builder for those without technical skills. It comes with a collection of more than 500 pre-designed blocks, maps and video integration and drag-and-drop design functionality. According to researchers, it also came with a stored cross-site scripting (XSS) issue and an arbitrary file-upload vulnerability prior to version 2.3.17.
These two bugs, when combined with another flaw that allows authorization bypass and privilege escalation, can become dangerous, Wordfence researchers cautioned.
“During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack,” researchers at Wordfence explained in a Wednesday posting. “This led us to discover two new vulnerabilities as well as a previously patched access-control vulnerability in the plugin that had been reintroduced.”
Foundation for Attack: A Re-Introduced Access Control Bug
The older access-control bug (now tracked as CVE-2021-38345) was patched in June 2020, but reintroduced in version 1.0.127 this year. It’s a high-severity issue that stems from a lack of proper authorization checks, according to Wordfence, allowing attackers to modify posts.
Researchers noted that the plugin uses a pair of administrator functions for a wide variety of authorization checks, and “any user that passed one of these checks was assumed to be an administrator.” They added, “being logged in and accessing any endpoint in the wp-admin directory was sufficient to pass this check.”
The upshot of this is that all logged-in users, such as subscribers to a newsletter, were allowed to modify any post or page that had been created or edited with the Brizy editor, even if it had already been published.
“While this vulnerability might only be a nuisance on its own, allowing attackers to replace the original contents of pages, it enabled two additional vulnerabilities that could each be used to take over a site,” according to Wordfence’s analysis.
Authenticated Stored Cross-Site Scripting
The first follow-on bug is a medium-severity stored XSS issue (CVE-2021-38344), which allows attackers to inject malicious scripts into web pages. Because it’s a stored XSS bug, rather than a reflected one, victims need only visit the infected page in order to be attacked.
Authenticated File Upload and Path Traversal
The second new bug is a high-severity arbitrary file-upload issue (CVE-2021-38346) that could allow authenticated users to upload files to a site. But again thanks to the authorization check vulnerability, it becomes possible for subscriber-level users to elevate their privileges, then upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action, according to Wordfence researchers.
Other kinds of attacks are also possible, they according to the analysis.
“While the plugin appended .JPG to all uploaded filenames, a double extension attack was also possible,” they explained. “For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location, which could potentially be used to circumvent execution restrictions added via .htaccess.”
Thus, “by supplying a file with a .PHP extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover,” they added.
Users can protect themselves by updating to the latest version of the plugin, version 2.3.17.
XSS Plugin Plague
XSS vulnerabilities in WordPress plugins have been far from scarce so far in 2021. For instance, in August an authenticated stored XSS vulnerability was found in the SEOPress WordPress plugin, which is installed on 100,000 websites.
In February, a stored XSS security bug was found to potentially affect 50,000 Contact Form 7 Style plugin users. The developers didn’t issue a patch, and WordPress removed the plugin from the WordPress plugin repository on Feb. 1.
And in January, researchers warned of yet another authenticated XSS vulnerability in a WordPress plugin called Orbit Fox that has 40,000 installs, that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.