Brizy < 2.3.12 - Authenticated File Upload and Path Traversal

Using the brizy_create_block_screenshot AJAX action, it was possible to provide a filename using the id parameter, and populate the file contents via the ibsf parameter, which would be base64-decoded and written to the file. While the plugin appended .jpg to all uploaded filenames, a double extension attack was also possible. For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with …/ to perform a directory traversal attack and place their file in an arbitrary location.