CVE-2024-3242

Name of the Vulnerable Software and Affected Versions Brizy – Page Builder plugin for WordPress versions up to, and including, 2.4.43 Brizy – Page Builder plugin for WordPress version 2.4.44

Description The issue is related to arbitrary file uploads due to missing file extension validation in the validateImageContent function called via storeImages. This allows authenticated attackers with contributor access and above to upload arbitrary files on the affected site's server, potentially making remote code execution possible.

Recommendations For versions up to, and including, 2.4.43, update to version 2.4.45 to fully patch the issue. For version 2.4.44, update to version 2.4.45 to fully patch the issue, as version 2.4.44 only prevents the upload of files ending in .sh and .php.