Lucene search

[email protected]NVD:CVE-2023-2897

HistoryJun 09, 2023 - 7:15 a.m.

CVE-2023-2897

2023-06-0907:15:10

CWE-345

[email protected]

web.nvd.nist.gov

brizy page builder

wordpress plugin

ip address spoofing

vulnerability

maintenance mode

disclosure

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

4.4

Confidence

High

EPSS

0.001

Percentile

30.7%

JSON

The Brizy Page Builder plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.4.18. This is due to an implicit trust of user-supplied IP addresses in an ‘X-Forwarded-For’ HTTP header for the purpose of validating allowed IP addresses against a Maintenance Mode whitelist. Supplying a whitelisted IP address within the ‘X-Forwarded-For’ header allows maintenance mode to be bypassed and may result in the disclosure of potentially sensitive information or allow access to restricted functionality.

Affected configurations

Nvd

Node

brizybrizyRange≤2.4.18wordpress

VendorProductVersionCPE
brizybrizy*cpe:2.3:a:brizy:brizy:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
brizy	brizy	*	cpe:2.3:a:brizy:brizy::::::wordpress::*

References

plugins.trac.wordpress.org/changeset/2919443/brizy

www.wordfence.com/threat-intel/vulnerabilities/id/ae342dd9-2f5f-4356-8fb4-9a3e5f4f8316?source=cve

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

4.4

Confidence

High

EPSS

0.001

Percentile

30.7%

JSON

Related for NVD:CVE-2023-2897

cvelist1 cve1 prion1 wordfence1