CVE-2023-2897: The Brizy Page Builder plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.4.18. This is due to an...

3.7 CVSS

Description

The Brizy Page Builder plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.4.18. This is due to an implicit trust of user-supplied IP addresses in an 'X-Forwarded-For' HTTP header for the purpose of validating allowed IP addresses against a Maintenance Mode whitelist. Supplying a whitelisted IP address within the 'X-Forwarded-For' header allows maintenance mode to be bypassed and may result in the disclosure of potentially sensitive information or allow access to restricted functionality.

Classification

CVE ID: CVE-2023-2897

CVSS Base Severity: LOW

CVSS Base Score: 3.7

Affected Products

Vendor: themefusecom

Product: Brizy – Page Builder

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 22.92% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/ae342dd9-2f5f-4356-8fb4-9a3e5f4f8316?source=cve
https://plugins.trac.wordpress.org/changeset/2919443/brizy

Timeline

2024-12-21 00:30:22 UTC
CVE

The Brizy Page Builder plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.4.18. This is due to an...