CVE-2024-1165 in Brizy Page Builder Plugininfo

Summary

by MITRE • 02/26/2024

The Brizy – Page Builder plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.39 via the 'id'. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files to arbitrary locations on the server

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/12/2026

The Brizy – Page Builder plugin for WordPress presents a critical directory traversal vulnerability identified as CVE-2024-1165 affecting all versions through 2.4.39. This security flaw resides in the plugin's handling of the 'id' parameter within its file upload functionality, creating a pathway for unauthorized file manipulation on affected systems. The vulnerability specifically targets authenticated users who possess contributor-level privileges or higher, making it particularly concerning given the relatively low access requirements needed to exploit this weakness. The directory traversal mechanism allows attackers to manipulate file paths and write files to locations outside the intended upload directories, potentially enabling arbitrary code execution or data compromise.

The technical implementation of this vulnerability stems from insufficient input validation and path sanitization within the plugin's file handling routines. When processing the 'id' parameter, the system fails to properly validate or sanitize user-supplied input, allowing malicious actors to manipulate directory paths through crafted parameters. This weakness aligns with CWE-22 Directory Traversal and represents a classic example of improper input validation that enables attackers to bypass intended security restrictions. The vulnerability operates through the plugin's file upload interface, where the 'id' parameter controls the destination path for uploaded files, making it possible for attackers to specify arbitrary server locations for file placement.

The operational impact of CVE-2024-1165 extends beyond simple file upload capabilities, as it creates opportunities for attackers to establish persistent footholds within affected WordPress installations. An authenticated contributor-level user can leverage this vulnerability to upload malicious files to critical system directories, potentially leading to complete system compromise. The attack vector follows established patterns documented in the MITRE ATT&CK framework under techniques such as T1059 Command and Scripting Interpreter and T1505 Server Software Component, where attackers exploit web application vulnerabilities to gain unauthorized access. The vulnerability's exploitation potential increases significantly when combined with other weaknesses, as attackers can upload web shells or malicious plugins to maintain persistent access to compromised systems.

Organizations running affected versions of the Brizy plugin must implement immediate remediation measures to protect their WordPress installations from exploitation. The primary mitigation strategy involves upgrading to the latest plugin version where the directory traversal vulnerability has been patched. System administrators should also consider implementing additional security controls such as restricting file upload capabilities, implementing web application firewalls, and monitoring for unusual file upload activities. The vulnerability demonstrates the importance of proper input validation and access control enforcement, as highlighted in security frameworks like NIST SP 800-53 and ISO 27001 controls. Regular security assessments and vulnerability scanning should be conducted to identify similar weaknesses in other WordPress plugins and themes, as this type of vulnerability commonly affects web applications with insufficient parameter validation mechanisms.

Responsible

Wordfence

Reservation

02/01/2024

Disclosure

02/26/2024

Moderation

accepted

CPE

ready

EPSS

0.00817

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!