AI description
CVE-2024-10960 is a vulnerability affecting the Brizy – Page Builder plugin for WordPress. Due to a lack of file type validation within the plugin's "storeUploads" function, authenticated users with contributor-level access or higher could upload arbitrary files to the server hosting the WordPress site. This vulnerability affects Brizy versions 2.6.4 and earlier. The potential outcome of a successful exploit could be remote code execution on the affected server.
- Description
- The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'storeUploads' function in all versions up to, and including, 2.6.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
- Source
- security@wordfence.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security@wordfence.com
- CWE-434
- Hype score
- Not currently trending
WordPressの人気プラグイン 「Brizy – Page Builder 」で重大な脆弱性(CVE-2024-10960) #セキュリティ対策 #セキュリティ https://t.co/iUXSKaCoVs
@securityLab_jp
18 Feb 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
8万サイト以上が使用するWordPressのプラグインBrizy – Page Builderに重大(Critical)な脆弱性。CVE-2024-10960はCVSSスコア9.9で、storeUploads関数における検証不備。貢献者以上の権限を持つ攻撃者が任意のファイルをアプロード可能。 https://t.co/OTTnFe7cqr
@__kokumoto
16 Feb 2025
1354 Impressions
7 Retweets
12 Likes
2 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:brizy:brizy:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"matchCriteriaId": "318CE83C-F93C-4B84-AACF-541CDB997487",
"versionEndExcluding": "2.6.5"
}
],
"operator": "OR"
}
]
}
]