The broken access control vulnerability was reported to the authors on 20th May, 2020. On 2nd June, 2020 a new version 1.0.125 was released. However, because all vulnerabilities were still exploitable in version 1.0.125, the authors were contacted again the same day. In the result of it a new version 1.0.126 was released on 3rd June, 2020.Now the WordPress Brizy Page Builder plugin fixed a broken access control vulnerability which was affecting version 1.0.125 and below that could allow any authenticated user to gain full access to the editor.
Few Points to Remember About the Brizy Page Builder
- Version: 1.0.126
- Last updated: 2 weeks ago
- Active installations: 60,000+
- WordPress Version: 4.5 or higher
- Tested up to: 5.3.4
- PHP Version: 5.6 or higher
- Languages: 30
Brizy Uses Its Own Role Manager:
Brizy is a Page Builder Plugin so as other page builder plugins Brizy also uses its own role manager. You can set the access control of the editor, author, contributor and subscriber from role manager to allow or restrict access to the editor role manager relies on its two capabilities (
brizy_edit_content_only). There’s no other safeguard, except a couple of security nonce used to prevent CSRF attacks.
Broken Access Control
To checks if the user is allowed to access the editor and its functions throughout its code by calling is_user_allowed() function for instance in initializeApiActions()function which is located in the script called ‘brizy/editor/api.php’
The is_user_allowed() function is located in the ‘brizy/editor.php’ script.
In the same script the is_administrator() function also found. By calling it can check if the user is logged in and has the right capability or not and also checks if it is an admin y calling same function.
This function will again check if the user is logged in and it will return the value of either the is_admin() or is_super_admin() functions. The function is_super_admin() will check whether the user is an administrator (single site) or super admin (multi site), while the is_admin() function will only check whether the user is accessing a page from the back end or not, hence when called by a logged in user the function will always return true value.
If you are using web application firewall for WordPress, Ninja Firewall WP Edition (free) and Ninja Firewall WP+ Edition (premium), then you don’t need to upgrade and you are protected against this vulnerability. But if you have version 1.0.125 or below then you need to upgrade as soon as possible.