Several potentially exploitable issues have been detected in the Brizy Page Builder, a WordPress plugin that posed vulnerabilities. Cybersecurity experts from Wordfence have uncovered several flaws in the plugin that might have allowed thousands of WP websites to be exploited. Brizy is installed on more than 90,000 websites.
The vulnerabilities were discovered while performing a periodic assessment of the Wordfence firewall around August this year. Following “abnormal traffic,” it stated that the plugin did not seem to be under active assault. However, it will lead a user to believe that something was wrong with the plugin instead. The targeted visits led to the discovery of two new vulnerabilities in the plugin and a previously fixed access control vulnerability that has been reintroduced.
Following a series of unsuccessful efforts to contact the vendor, the security company reported the problem to the WordPress.org team. It then ordered to have the plugin taken down to enable the developers to create a solution. The first phase of the repair was released in early September, followed by a complete patch before the month ended. Furthermore, experts recommended instantly installing and activating the latest version of the Brizy Page Builder plugin.
What Can Happen From These Vulnerabilities
The most severe concern about these vulnerabilities is that they can be utilized in conjunction with one another to permit a complete site takeover. Other concerns include the possibility of any login user editing any published posts. These login users may include harmful JavaScript in a post that can jeopardize the website or harvest information from web visitors. In addition, there is a weakness detected from this WordPress plugin that poses vulnerabilities that lets any user get remote code execution by uploading potentially executable files.
The additional loophole could be used together with the access control weakness to allow a total site takeover. Because of the nature of these vulnerabilities, any registered user or even subscriber may pose as an administrator and make changes to posts and pages. This will still be possible even if they have already been published on the site.
After which, the plugin will perform a broad number of permission checks using a pair of administrative functions. Every user who passes one of these tests will be given these functions. It will then be sufficient to log in and visit any endpoint in the WP-admin directory to pass this verification process.
Ways To Mitigate Vulnerability of a WP Plugin
Because of this possible site takeover, it is necessary to create strategies that would mitigate any exploitation. Likewise, no matter what the objective of your website is, understanding how to keep your WordPress site secure is critical to success.
- Disable The Option To Edit In The File SystemWhen you initially set up your site, a tool in the dashboard enables you to customize the theme to your liking. You may find that in the ‘Appearance> Editor’ menu option. You may change your plugin using a code editor identical to this one, found under ‘Plugins>Editor.’ Because keeping this function enabled enables hackers to introduce destructive code into your plugin or theme if they have gained access to your admin panel. It is recommended that you deactivate this feature as soon as your site becomes live. Alternatively, you may deactivate the editing feature in any section by pasting the following code into your wp-config.php file: (‘DISALLOW_FILE_EDIT,’ true).
- Change The URL Where You Log InWordPress sites, by default, use the URL ‘yoursite.com/wp-admin’ as their administrative URL. If you keep it this way, it will be much simpler for hackers to guess your login information in the future. Users who agree to subscriber registration may discover that they are inundated with spam registration requests. Avoiding this by changing the admin login address will assist you in avoiding it. Adding a two-factor authentication plugin to your site will provide an additional layer of safety by requiring an additional level of authentication before allowing access to your site.
- Keep Away From Nulled ThemesWordPress premium themes are built to withstand the rigorous WordPress testing process. They have several significant benefits beyond security. They are highly customizable and typically seem more professional. However, they are also more expensive than other options. Still, it is a price worth paying in the long run. Using a premium theme ensures that you will get complete support and be eligible for all these upgrades.Some websites provide nulled themes, which might be enticing since they’re generally less expensive and have the same appearance as the premium themes. There’s a good reason for this: they’re hacked copies of the actual WordPress software, and utilizing them puts your website at risk. These themes are often laced with malicious code, which may harm your website and reputation as a WordPress user.
- Obtain a WordPress Security PluginCybercrime often arises due to a hacker being able to exploit an avoidable vulnerability. That enables them to steal sensitive data or install malware onto a system. This was one of the main concerns with what occurred to the WordPress plugin Brizy earlier this year. It has the potential to cost companies and people thousands of dollars.Installing a WordPress security plugin is one step you can take to strengthen the security of your site and lower the likelihood of a malicious actor publishing unwanted material. Malware is brutal to identify unless you are pretty skilled with computer programming; therefore, security plugins have been built to identify these risks for you.
Final Thoughts
As part of your effort to lessen the vulnerability of your WordPress site, be sure that you have implemented all of the security measures accessible to you and that you are regularly checking for updates. Ensuring the integrity of your website is not difficult and sometimes can be done without paying a huge amount. Likewise, if you do not take specific precautions, you may find yourself the victim of a cyberattack.