The plugin does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
As a contributor or above, create a post using Brizy editor, add an Icon or Button element and put the following payload in the "Link to" setting: ";</script><script>alert("XSS")</script> The XSS will be triggered when viewing/previewing the post (for example when an admin reviews it)
Vishnupriya ilango
Vishnupriya ilango
Yes
2022-06-21 (about 1 years ago)
2022-06-21 (about 1 years ago)
2023-03-27 (about 6 months ago)