CVE-2025-26901 Overview
CVE-2025-26901 is a missing authorization vulnerability in the Brizy Pro plugin for WordPress. The flaw affects all versions of Brizy Pro up to and including 2.6.1. Incorrectly configured access control security levels allow authenticated users to perform actions that should be restricted to higher-privileged roles. The vulnerability is tracked under CWE-862: Missing Authorization and is documented in the Patchstack Brizy Pro Vulnerability advisory.
Critical Impact
An authenticated attacker with low privileges can exploit broken access control in Brizy Pro to compromise confidentiality, integrity, and availability of the affected WordPress site.
Affected Products
- Brizy Pro plugin for WordPress, versions up to and including 2.6.1
- WordPress sites running Brizy Pro with low-privileged authenticated user accounts enabled
- Component identifier: brizy:brizy (Pro edition)
Discovery Timeline
- 2025-04-09 - CVE-2025-26901 published to the National Vulnerability Database
- 2026-06-17 - Last updated in the NVD database
Technical Details for CVE-2025-26901
Vulnerability Analysis
The Brizy Pro plugin exposes functionality that fails to enforce proper authorization checks before executing privileged actions. An attacker who holds any authenticated account on the WordPress site can invoke these actions over the network without user interaction. Successful exploitation enables modification of plugin-managed content, configuration changes, and disruption of site availability. The attack does not require administrative credentials, which lowers the barrier to exploitation in environments that permit subscriber or contributor registrations.
Root Cause
The root cause is the absence of capability and nonce verification on one or more plugin handlers, classified as CWE-862: Missing Authorization. The handlers rely on session authentication alone and do not validate whether the requesting user holds the required WordPress role or capability. This is consistent with the advisory description of "Incorrectly Configured Access Control Security Levels" in Brizy Pro through version 2.6.1.
Attack Vector
Exploitation occurs over the network against the WordPress admin-ajax or REST endpoints exposed by Brizy Pro. The attacker authenticates with a low-privileged account, then issues HTTP requests to the vulnerable plugin handlers. Because authorization is missing, the requests are processed with the effective rights of a privileged user. No social engineering or user interaction is required. Refer to the Patchstack advisory for affected endpoint details.
// No verified proof-of-concept code is publicly available.
// See the Patchstack advisory for technical details.
Detection Methods for CVE-2025-26901
Indicators of Compromise
- Unexpected modifications to Brizy-managed pages, templates, or global blocks performed by low-privileged accounts
- HTTP POST requests to Brizy plugin endpoints originating from subscriber, contributor, or author accounts
- New or altered WordPress options and post meta entries written by the brizy plugin outside of administrator sessions
- Sudden creation of pages or media uploads attributed to non-editor users
Detection Strategies
- Audit WordPress access logs for requests to wp-admin/admin-ajax.php and REST routes containing brizy made by non-administrative users
- Compare the WordPress posts, postmeta, and options tables against known-good baselines to identify unauthorized writes
- Enable verbose plugin and authentication logging in WordPress security plugins to capture privilege misuse
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized analytics platform and alert on privileged plugin actions performed by low-tier roles
- Monitor user role distribution and flag privilege changes on accounts that recently interacted with Brizy endpoints
- Track plugin version inventory across all WordPress hosts and alert when Brizy Pro reports a version at or below 2.6.1
How to Mitigate CVE-2025-26901
Immediate Actions Required
- Update Brizy Pro to a release later than 2.6.1 as published by the vendor; consult the Patchstack advisory for the fixed version
- Audit all WordPress user accounts and remove unused subscriber, contributor, or author accounts that could be abused
- Review recent changes to Brizy-managed content and revert unauthorized modifications
Patch Information
The vendor has addressed the broken access control flaw in a Brizy Pro release after 2.6.1. Site administrators should apply the latest plugin update through the WordPress dashboard or by replacing plugin files. Verify the installed version after update by checking the Brizy Pro entry under wp-admin/plugins.php. Refer to the Patchstack Brizy Pro Vulnerability entry for the authoritative fixed version.
Workarounds
- Disable the Brizy Pro plugin until the patched version can be deployed, if business requirements permit
- Restrict user registration and require administrator approval for new accounts to limit the pool of authenticated attackers
- Place the WordPress admin interface behind an IP allowlist or web application firewall rule that blocks unauthenticated access to admin-ajax.php and Brizy REST routes
# Example: disable Brizy Pro via WP-CLI until a patched version is installed
wp plugin deactivate brizy-pro
wp plugin status brizy-pro
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

