CVE-2024-1937 HIGH

CVE-2024-1937: Brizy – Page Builder <= 2.4.44 - Missing Authorization to Authenticated (Contributor+) Post Modification

Vendor Themefusecom

Product Brizy – Page Builder

Weakness CWE-862 · Missing authorization

Published July 16, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_item' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor access and above, to modify the content of arbitrary published posts, which includes the ability to insert malicious JavaScript.

Key dates

02Disclosure timeline

July 16, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-1937 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2022-47176 WordPress Depicter Slider plugin <= 1.9.0 - Broken Access Control vulnerability CVE-2023-51497 WordPress WooCommerce Ship to Multiple Addresses plugin <= 3.8.9 - Broken Access Control vulnerability CVE-2025-14386 Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization 2.4.4 - 2.5.12 - Missing Authorization to Authenticated (Subscriber+) Authentication Bypass via Account Takeover CVE-2025-63031 WordPress EasyTest plugin <= 1.0.1 - Broken Access Control vulnerability CVE-2025-5304 PT Project Notebooks 1.0.0 - 1.1.3 - Missing Authorization to Unauthenticated Privilege Escalation via wpnb_pto_new_users_add Function