CVE-2024-10960 — AI Deep Analysis Summary

🚨 **Essence**: Brizy Page Builder < 2.6.5 lacks file type validation. 📉 **Consequences**: Attackers can upload malicious files and execute **Remote Code Execution (RCE)** on the server. 💥 Critical integrity loss.

🛡️ **Root Cause**: **CWE-434** (Unrestricted Upload of File with Dangerous Type). ❌ The plugin fails to verify the file type before allowing uploads. 🐛 A fundamental input validation flaw.

🏢 **Vendor**: Themefusecom. 📦 **Product**: Brizy – Page Builder. 📅 **Affected**: Versions **2.6.4 and earlier**. ✅ **Fixed**: Version 2.6.5+.

👮 **Privileges**: Requires **Low Privileges** (PR:L). 🗝️ **Impact**: **High** (C:H, I:H, A:H). Hackers gain full control, modify data, and disrupt services via RCE. 🕵️‍♂️ No user interaction needed.

⚡ **Threshold**: **Low**. 🌐 **Network**: Attack Vector is Network (AV:N). 🚫 **UI**: No User Interaction required (UI:N). 🔑 **Auth**: Needs Low Privileges (e.g., Subscriber/Editor role). Easy to exploit remotely.

📜 **Public Exp?**: No specific PoC provided in data. 📰 **References**: WordFence and WordPress Trac confirm the fix. 🕵️‍♂️ Wild exploitation is likely given the low barrier, but no active exploit code is listed here.

🔍 **Check**: Scan for Brizy plugin version. 📉 **Flag**: If version ≤ 2.6.4, you are vulnerable. 📂 **Inspect**: Look for unvalidated file upload endpoints in `editor/zip/archiver.php`.…

✅ **Fixed**: Yes! **Version 2.6.5** patches this. 🔄 **Action**: Update Brizy plugin immediately. 📝 **Commit**: See changeset 3222672 in WordPress Trac. 🛡️ Official patch is available.

🚧 **No Patch?**: Disable the plugin if possible. 🚫 **Block**: Restrict file upload permissions in `wp-config.php` or server config. 🛡️ **WAF**: Use Web Application Firewall to block malicious upload requests.…

🔥 **Urgency**: **CRITICAL**. 🚨 CVSS Score is High (likely 8.8+). ⏳ **Time**: Patch immediately. 📉 **Risk**: RCE allows total server compromise. 🏃‍♂️ Do not delay. Update to 2.6.5+ NOW.