CVE-2025-4370

Published: Jul 29, 2025Modified: Aug 11, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: security@wordfence.com (Secondary)

Description

The Brizy – Page Builder plugin for WordPress is vulnerable to limited file uploads due to missing authorization on process_external_asset_urls function as well as missing path validation in store_file function in all versions up to, and including, 2.6.20. This makes it possible for unauthenticated attackers to upload .TXT files on the affected site's server.

Affected (1)

Products: Brizy: Brizy

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Brizy Brizy	Before 2.6.21

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (3)

https://plugins.trac.wordpress.org/browser/brizy/tags/2.6.17/editor/asset/media-processor.php#L27

Source: security@wordfence.com

Product

https://plugins.trac.wordpress.org/browser/brizy/tags/2.6.17/editor/asset/static-file-trait.php#L44

Source: security@wordfence.com

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/db18f6b4-600d-4c63-a9f2-4e3b8ab4fba3?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.