CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1940 – Brizy – Page Builder <= 2.4.41 - Authenticated(Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-1940
The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post content in all versions up to, and including, 2.4.41 due to insufficient input sanitization performed only on the client side and insufficient output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Brizy – Page Builder para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del contenido de la publicación en todas las versiones hasta la 2.4.41 incluida debido a una sanitización de entrada insuficiente realizada solo en el lado del cliente y un escape de salida insuficiente. Esto hace posible que atacantes autenticados, con acceso de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3055256%40brizy&new=3055256%40brizy&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/e056dcb5-a66b-4cd3-9a73-37f226015e09?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51396 – WordPress Brizy – Page Builder Plugin <= 2.4.29 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-51396
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brizy.Io Brizy – Page Builder allows Stored XSS.This issue affects Brizy – Page Builder: from n/a through 2.4.29. La vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web ('Cross-site Scripting') en Brizy.Io Brizy – Page Builder permite XSS almacenado. Este problema afecta a Brizy – Page Builder: desde n/a hasta 2.4.29. The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 2.4.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/brizy/wordpress-brizy-page-builder-plugin-2-4-29-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2041 – Brizy Page Builder < 2.4.2 - Contributor+ Stored Cross-Site Scripting via Element Content
https://notcve.org/view.php?id=CVE-2022-2041
The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks El plugin Brizy de WordPress versiones anteriores a 2.4.2, no sanea ni escapa del contenido de algunos elementos, lo que podría permitir a usuarios con un rol tan bajo como el de Contribuyente llevar a cabo ataques de tipo Cross-Site Scripting Almacenado • https://wpscan.com/vulnerability/8edb11bc-9e8d-4a98-8538-aaff0f072109 https://www.fortiguard.com/zeroday/FG-VD-21-110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2040 – Brizy Page Builder < 2.4.2 - Contributor+ Stored Cross-Site Scripting via Element URL
https://notcve.org/view.php?id=CVE-2022-2040
The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks El plugin Brizy de WordPress versiones anteriores a 2.4.2, no sanea ni escapa de la URL de algunos elementos, lo que podría permitir a usuarios con un rol tan bajo como el de colaborador llevar a cabo ataques de tipo Cross-Site Scripting Almacenado • https://wpscan.com/vulnerability/ab53a70c-57d5-400f-b11f-b1b7b2b0cf01 https://www.fortiguard.com/zeroday/FG-VD-21-111 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-38344 – Brizy <= 2.3.11 Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-38344
The Brizy Page Builder plugin <= 2.3.11 for WordPress was vulnerable to stored XSS by lower-privileged users such as a subscribers. It was possible to add malicious JavaScript to a page by modifying the request sent to update the page via the brizy_update_item AJAX action and adding JavaScript to the data parameter, which would be executed in the session of any visitor viewing or previewing the post or page. El plugin Brizy Page Builder versiones anteriores a 2.3.11 incluyéndola, para WordPress era vulnerable a un ataque de tipo XSS almacenado por usuarios con menos privilegios, como un suscriptor. Era posible añadir JavaScript malicioso a una página al modificar la petición enviada para actualizar la página por medio de la acción brizy_update_item AJAX y añadiendo JavaScript al parámetro data, que se ejecutaría en la sesión de cualquier visitante que visualizara o previsualizara el post o la página • https://www.wordfence.com/blog/2021/10/multiple-vulnerabilities-in-brizy-page-builder-plugin-allow-site-takeover • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •