CVE-2024-1937: 
WordPress vulnerability analysis and mitigation

The Brizy – Page Builder plugin for WordPress contains a vulnerability (CVE-2024-1937) due to a missing capability check on the 'update_item' function in versions up to and including 2.4.44. This security flaw was discovered and reported by Wordfence, with the initial disclosure made on July 16, 2024 (NVD).

The vulnerability stems from a missing authorization check in the 'update_item' function, which allows authenticated users with contributor-level access or higher to modify content of arbitrary published posts. The severity is rated as MEDIUM with a CVSS v3.1 base score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) according to NVD, while Wordfence rates it as HIGH with a CVSS score of 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L). The vulnerability is classified under CWE-862 (Missing Authorization) (NVD).

The vulnerability enables authenticated attackers with contributor-level access or higher to modify the content of any published posts on the affected WordPress site. This includes the ability to insert malicious JavaScript code into existing posts, potentially leading to cross-site scripting attacks (NVD).

Users should update their Brizy – Page Builder plugin to a version newer than 2.4.44, which contains the security fix. A patch has been made available through the WordPress plugin repository (WordPress Patch).