CVE-2024-1296 in Brizy Page Builder Plugininfo

Summary

by MITRE • 03/13/2024

The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block upload in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/12/2026

The Brizy – Page Builder plugin for WordPress represents a widely used visual editing solution that allows users to create and modify web content through drag-and-drop interfaces. This particular vulnerability affects all versions up to and including 2.4.40, making it a significant security concern for WordPress installations that rely on this plugin for content management. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's block upload functionality, creating an exploitable condition that can be leveraged by malicious actors with appropriate privileges.

The technical flaw manifests in the plugin's handling of user-supplied attributes during the block upload process. When authenticated attackers with contributor-level permissions or higher attempt to upload blocks containing malicious scripts, the plugin fails to properly sanitize or escape these inputs before storing them in the database. This stored data is then subsequently rendered in web pages without adequate protection measures, creating a classic stored cross-site scripting vulnerability. The vulnerability specifically affects the plugin's block upload feature, which is designed to allow users to add various content elements to their pages through a visual interface.

The operational impact of this vulnerability is substantial as it enables authenticated attackers to execute arbitrary web scripts in pages containing the malicious content. This means that any user who accesses a page containing the injected script will unknowingly execute the malicious code in their browser, potentially leading to session hijacking, data theft, or further compromise of the affected WordPress installation. The vulnerability is particularly concerning because it requires only contributor-level permissions, which are often granted to users who need to create and edit content but should not have elevated privileges. This expands the potential attack surface significantly, as many WordPress installations have multiple users with contributor-level access.

The vulnerability aligns with CWE-79 which specifically addresses Cross-Site Scripting flaws in web applications. It also maps to ATT&CK technique T1548.002 which involves exploiting application vulnerabilities to gain privilege escalation and persistence. Organizations using the Brizy plugin should immediately implement mitigations including updating to the latest plugin version, implementing proper input validation, and considering additional security measures such as role-based access controls that limit the capabilities of users with contributor-level permissions. The stored XSS vulnerability creates a persistent threat that can remain undetected for extended periods, making it crucial for administrators to monitor their installations and apply security patches promptly to prevent exploitation.

Reservation

02/06/2024

Disclosure

03/13/2024

Moderation

accepted

CPE

ready

EPSS

0.00516

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!