WordPress plugin exploit puts over 90,000 sites at risk

A user with WordPress on their desktop computer

Researchers have unearthed a series of vulnerabilities that could have compromised thousands of WordPress websites.

Potentially exploitable bugs were found in the Brizy Page Builder, a WordPress plugin that is installed across more than 90,000 websites, according to security firm Wordfence.

The company's Threat Intelligence team reported the issues in August and a fix was released shortly afterwards, but it's likely that a number of installations still remain unpatched. If exploited, it could allow attackers to execute "complete site takeover" and add malicious code to existing posts.

The vulnerabilities could also allow for any registered user, including subscribers, to pass as an administrator, where they could modify posts and pages, even if they had already been published on a site.

The Wordfence's Threat Intelligence team said it stumbled upon the vulnerability while conducting a routine review of the Wordfence firewall in July. It said the plugin "did not appear" to be under active attack, but they were led to believe that there was something amiss following "unusual traffic".

"The unusual traffic led us to discover two new vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced," Wordfence wrote in a blog post. "Both new vulnerabilities could take advantage of the access control vulnerability to allow complete site takeover."

A patched version of the Brizy Page Builder plugin, was released on 24 August, just a few days after Wordfence disclosed the vulnerability. Wordfence "strongly recommends" users update to the latest version of the Brizy Page Builder (2.3.17) as soon as possible.

Bobby Hellard

Bobby Hellard is ITPro's Reviews Editor and has worked on CloudPro and ChannelPro since 2018. In his time at ITPro, Bobby has covered stories for all the major technology companies, such as Apple, Microsoft, Amazon and Facebook, and regularly attends industry-leading events such as AWS Re:Invent and Google Cloud Next.

Bobby mainly covers hardware reviews, but you will also recognise him as the face of many of our video reviews of laptops and smartphones.