CVE-2024-2087 in Brizy Plugin
Summary
by MITRE • 06/05/2024
The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form name values in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/26/2025
The Brizy Page Builder plugin for WordPress represents a widely used tool for creating custom web pages through visual drag-and-drop interfaces. This vulnerability affects versions up to and including 2.4.43, making it a significant concern for WordPress site administrators who rely on this plugin for their website construction. The plugin's functionality allows users to create forms and other interactive elements, which are then rendered on public-facing web pages. The vulnerability arises from the plugin's failure to properly sanitize user input when processing form name values, creating a persistent security flaw that can be exploited by attackers without authentication requirements.
The technical flaw manifests as a stored cross-site scripting vulnerability that specifically targets the form name parameter handling within the plugin's codebase. When administrators or users create forms through the Brizy interface, the form names are stored in the WordPress database without adequate sanitization. This stored data is then retrieved and displayed on public pages without proper output escaping mechanisms. The vulnerability follows the CWE-079 pattern of cross-site scripting, where attacker-controlled data is embedded into web pages viewed by other users. The lack of input validation and output escaping creates a persistent XSS vector that can affect any user who accesses a page containing maliciously injected script code.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to execute arbitrary web scripts in the context of affected websites. This means that any user who visits a page containing the malicious payload could have their browser execute scripts that perform actions such as stealing session cookies, redirecting to malicious sites, or performing unauthorized actions on behalf of the victim. The vulnerability is particularly dangerous because it does not require authentication to exploit, allowing attackers to compromise any website using the affected plugin version. This creates a persistent threat that can affect all users of the compromised site, including administrators, editors, and regular visitors who may unknowingly trigger the malicious scripts.
Security mitigations for this vulnerability should include immediate patching to version 2.4.44 or later, which contains the necessary input sanitization and output escaping fixes. Administrators should also implement additional monitoring of form-related data within their WordPress installations to detect any suspicious entries. The vulnerability aligns with ATT&CK technique T1566.001 for initial access through malicious web content, and T1059.001 for command and scripting interpreter execution. Organizations should conduct thorough security audits of their WordPress installations to identify any other plugins or themes that might be vulnerable to similar input sanitization issues. Regular security updates and proper input validation practices should be enforced across all web applications to prevent similar vulnerabilities from occurring in the future.