CVE-2025-4370 | THREATINT

Description

The Brizy – Page Builder plugin for WordPress is vulnerable to limited file uploads due to missing authorization on process_external_asset_urls function as well as missing path validation in store_file function in all versions up to, and including, 2.6.20. This makes it possible for unauthenticated attackers to upload .TXT files on the affected site's server.

Reserved 2025-05-05 | Published 2025-07-29 | Updated 2025-07-29 | Assigner Wordfence

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status

unaffected

affected

Timeline

2025-04-28:	Discovered
2025-07-28:	Disclosed

Credits

Michael Mazzolini finder

References

www.wordfence.com/...-600d-4c63-a9f2-4e3b8ab4fba3?source=cve

plugins.trac.wordpress.org/...or/asset/static-file-trait.php

plugins.trac.wordpress.org/...itor/asset/media-processor.php

cve.org (CVE-2025-4370)

nvd.nist.gov (CVE-2025-4370)

Download JSON