CVE-2026-32408

Vulnerability

Overview

The Brizy WordPress plugin, versions 2.7.23 and earlier, contains a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, which fail to properly implemented authorization checks are absent in certain functions. The issue is classified as a broken access control problem, meaning the plugin fails to verify that a user has the necessary privileges before allowing access to sensitive actions [1].

Exploitation

An attacker can exploit this vulnerability without needing any special privileges, as the missing authorization check allows unprivileged users to perform actions that should require higher-level permissions. The attack surface is the WordPress admin interface, and no authentication is required beyond a standard user account. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation could allow an attacker to execute higher-privileged actions, potentially leading to unauthorized content modification, user role escalation, or other administrative operations. The CVSS v3 score of 4.3 (Medium) reflects the limited but real risk of unauthorized access to protected functionality [1].

Mitigation

The vendor has released version 2.7.24 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].