CVE-2021-38346

Name of the Vulnerable Software and Affected Versions Brizy Page Builder plugin versions <= 2.3.11 for WordPress

Description The issue allows authenticated users to upload executable files to a location of their choice using the "brizy create block screenshot" AJAX action. The file name is determined by the id parameter, which can be modified to perform directory traversal by prepending "../". The file contents are populated via the ibsf parameter, which is base64-decoded and written to the file. Although the plugin adds a .jpg extension to uploaded filenames, a double extension attack is still possible, allowing executable files to be uploaded, for example, a file named "shell.php" would be saved as "shell.php.jpg" and could be executable on certain configurations.

Recommendations For Brizy Page Builder plugin versions <= 2.3.11, update to a version greater than 2.3.11 to resolve the issue. As a temporary workaround, consider disabling the brizy create block screenshot AJAX action until a patch is available. Restrict access to the id and ibsf parameters to minimize the risk of exploitation. Avoid using the id parameter with "../" to prevent directory traversal attacks.