How it works Pricing

Vulnerabilities

WordPress Plugins Themes Stats Submit vulnerabilities

For developers

Status API details CLI scanner

WordPress Plugin Vulnerabilities

Brizy Page Builder < 2.4.2 - Contributor+ Stored Cross-Site Scripting via Element URL

Description

The plugin does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a contributor or above, create a post using Brizy editor, add an Icon or Button element and put the following payload in the "Link to" setting: ";</script><script>alert("XSS")</script>

The XSS will be triggered when viewing/previewing the post (for example when an admin reviews it)

Affects Plugins

Fixed in version 2.4.2

References

CVE

URL

https://www.fortiguard.com/zeroday/FG-VD-21-111

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Vishnupriya ilango

Submitter

Vishnupriya ilango

Submitter website

https://www.fortiguard.com/zeroday

Verified

Yes

WPVDB ID

ab53a70c-57d5-400f-b11f-b1b7b2b0cf01

Timeline

Publicly Published

2022-06-21 (about 3 months ago)

Added

2022-06-21 (about 3 months ago)

Last Updated

2022-06-21 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin