CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10322 – Brizy – Page Builder <= 2.6.8 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
https://notcve.org/view.php?id=CVE-2024-10322
12 Feb 2025 — The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. • https://plugins.trac.wordpress.org/changeset/3231744 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10960 – Brizy – Page Builder <= 2.6.4 - Authenticated (Contributor+) Arbitrary File Upload via storeUploads
https://notcve.org/view.php?id=CVE-2024-10960
11 Feb 2025 — The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'storeUploads' function in all versions up to, and including, 2.6.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/changeset/3222672/brizy/tags/2.6.5/editor/zip/archiver.php • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6254 – Brizy – Page Builder <= 2.5.1 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2024-6254
07 Aug 2024 — The Brizy – Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing or incorrect nonce validation on form submissions. This makes it possible for unauthenticated attackers to submit forms intended for public use as another user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. On sites where unfiltered_html is enabled, this can lead to the admin unkno... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3129495%40brizy%2Ftrunk&old=3125955%40brizy%2Ftrunk&sfp_email=&sfph_mail= • CWE-20: Improper Input Validation •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1937 – Brizy – Page Builder <= 2.4.44 - Missing Authorization to Authenticated (Contributor+) Post Modification
https://notcve.org/view.php?id=CVE-2024-1937
15 Jul 2024 — The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_item' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor access and above, to modify the content of arbitrary published posts, which includes the ability to insert malicious JavaScript. • https://plugins.trac.wordpress.org/changeset/3112878/brizy/trunk/editor/api.php • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3711 – Brizy – Page Builder <= 2.4.43 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-3711
22 May 2024 — The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access or above, to enable/disable the Brizy editor and modify the template used. El complemento Brizy – Page Builder para WordPress es vulnerable a actualizaciones no autori... • https://plugins.trac.wordpress.org/browser/brizy/trunk/admin/main.php • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-1165 – Brizy – Page Builder <= 2.4.39 - Authenticated (Contributor+) Directory Traversal
https://notcve.org/view.php?id=CVE-2024-1165
23 Feb 2024 — The Brizy – Page Builder plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.39 via the 'id'. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files to arbitrary locations on the server El complemento Brizy – Page Builder para WordPress es vulnerable a Directory Traversal en todas las versiones hasta la 2.4.39 incluida, a través del 'id'. Esto hace posible que atacantes autenticados, con acceso de nivel de ... • https://plugins.trac.wordpress.org/browser/brizy/tags/2.4.39/editor/screenshot/manager.php#L33 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1291 – Brizy – Page Builder <= 2.4.40 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-1291
23 Feb 2024 — The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown URL parameter in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Brizy – Page Builder para WordPress es vulnerable a Cross-Site Scripting Almacen... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3034945%40brizy%2Ftrunk&old=3032616%40brizy%2Ftrunk&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1293 – Brizy – Page Builder <= 2.4.40 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-1293
23 Feb 2024 — The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the embedded media custom block in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Brizy – Page Builder para WordPress es vulnerable a Cross-Site Scripting Alma... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3034945%40brizy%2Ftrunk&old=3032616%40brizy%2Ftrunk&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1296 – Brizy – Page Builder <= 2.4.40 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-1296
23 Feb 2024 — The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block upload in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Brizy – Page Builder para WordPress es vulner... • https://plugins.trac.wordpress.org/browser/brizy/trunk/editor/post.php#L529 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 6%CPEs: 1EXPL: 0CVE-2024-1311 – Brizy – Page Builder <= 2.4.40 - Authenticated (Contributor+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-1311
23 Feb 2024 — The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeImages function in all versions up to, and including, 2.4.40. This makes it possible for authenticated attackers, with contributor access or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento Brizy – Page Builder para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de valida... • https://plugins.trac.wordpress.org/browser/brizy/trunk/editor/zip/archiver.php#L254 • CWE-434: Unrestricted Upload of File with Dangerous Type •