CVE-2025-4370 is a vulnerability identified in the Brizy – Page Builder plugin for WordPress, developed by themefusecom. The issue arises from missing authorization checks in the process_external_asset_urls function and inadequate path validation in the store_file function across all versions up to and including 2.6.20. This flaw allows unauthenticated attackers to upload limited file types, specifically .TXT files, to the server hosting the vulnerable WordPress site. The absence of authorization means that attackers do not need any credentials or user interaction to exploit this vulnerability remotely over the network. The lack of path validation further facilitates the upload of files to arbitrary locations within the server's accessible directories. While the uploaded files are restricted to .TXT format, this can still be exploited for information disclosure, such as uploading files containing malicious payloads disguised as text or for reconnaissance purposes. The vulnerability is categorized under CWE-862 (Missing Authorization), indicating a failure to enforce proper access controls. The CVSS v3.1 base score of 5.3 reflects a medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), limited integrity impact (I:L), and no availability impact (A:N). No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. However, the vulnerability poses a risk to WordPress sites using this plugin, especially those exposed to the internet without additional security controls.

The primary impact of CVE-2025-4370 is the unauthorized upload of .TXT files to the server hosting the vulnerable WordPress site. Although the uploaded files are limited to text format, attackers can leverage this capability for information disclosure, such as uploading files containing sensitive data or configuration details if combined with other vulnerabilities. Additionally, attackers might use this upload vector as a foothold for further attacks, including social engineering or chaining with other vulnerabilities to achieve remote code execution or privilege escalation. The integrity of the affected system is partially compromised due to unauthorized file uploads, but confidentiality and availability impacts are minimal. Organizations running websites with the Brizy – Page Builder plugin are at risk of defacement, data leakage, or indirect compromise. The vulnerability is exploitable remotely without authentication or user interaction, increasing the attack surface. However, the lack of direct execution capability of uploaded files limits the severity compared to more critical file upload vulnerabilities. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future exploitation. Overall, the vulnerability could lead to reputational damage, loss of trust, and potential compliance issues for affected organizations.

To mitigate CVE-2025-4370, organizations should first verify if they are using the Brizy – Page Builder plugin and identify the version installed. Immediate mitigation includes restricting public access to the plugin’s upload endpoints via web application firewalls (WAFs) or server-level access controls to prevent unauthenticated requests. Implement strict input validation and path sanitization at the server level to block unauthorized file uploads and directory traversal attempts. Monitor web server logs for suspicious upload activity, especially POST requests targeting plugin-related URLs. If possible, disable or remove the plugin until a vendor patch is released. Employ security plugins that enforce authorization checks on file uploads and restrict file types beyond the plugin’s default behavior. Regularly update WordPress core and all plugins to the latest versions once a patch addressing this vulnerability is available. Additionally, conduct periodic security audits and penetration testing focused on file upload functionalities. Educate site administrators about the risks of unauthorized file uploads and encourage the use of least privilege principles for user roles managing the website.