IP Address Spoofing Vulnerability in Brizy Page Builder Plugin for WordPress (up to version 2.4.18)

IP Address Spoofing Vulnerability in Brizy Page Builder Plugin for WordPress (up to version 2.4.18)

CVE-2023-2897 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

The Brizy Page Builder plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.4.18. This is due to an implicit trust of user-supplied IP addresses in an 'X-Forwarded-For' HTTP header for the purpose of validating allowed IP addresses against a Maintenance Mode whitelist. Supplying a whitelisted IP address within the 'X-Forwarded-For' header allows maintenance mode to be bypassed and may result in the disclosure of potentially sensitive information or allow access to restricted functionality.

Learn more about our Wordpress Pen Testing.