CVE-2021-38345: 
WordPress vulnerability analysis and mitigation

The Brizy Page Builder WordPress plugin, installed on more than 90,000 sites, contained a critical vulnerability tracked as CVE-2021-38345. This vulnerability was initially discovered and patched in June 2020 but was reintroduced in version 1.0.127. The flaw affected versions up to 2.3.11, allowing any logged-in user to modify the content of any existing post or page created with the Brizy editor due to an incorrect authorization check (Threatpost, Wordfence).

The vulnerability stems from improper authorization checks in administrator functions. The plugin's security mechanism incorrectly assumed that any user accessing endpoints in the wp-admin directory was an administrator. This authorization bypass received a CVSS v3.1 base score of 6.5 (MEDIUM) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, while Wordfence assessed it at 7.1 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L (NVD).

When exploited, this vulnerability allows any authenticated user, even those with minimal privileges such as subscribers, to modify any post or page created with the Brizy editor. When combined with other vulnerabilities, it could enable complete site takeover through malicious JavaScript injection or arbitrary file uploads (Threatpost).

The vulnerability was addressed in version 2.3.17 of the Brizy Page Builder plugin. Site administrators were advised to update to this latest version to protect against potential exploitation (Threatpost).