cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-6254,https://securityvulnerability.io/vulnerability/CVE-2024-6254,Brizy Page Builder Plugin Vulnerable to Cross-Site Request Forgery,"The Brizy – Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing or incorrect nonce validation on form submissions. This makes it possible for unauthenticated attackers to submit forms intended for public use as another user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. On sites where unfiltered_html is enabled, this can lead to the admin unknowingly adding a Stored Cross-Site Scripting payload.",Wordpress,Brizy – Page Builder,4.3,MEDIUM,0.0004600000102072954,false,,false,false,false,,false,false,2024-08-08T03:30:45.320Z,0
CVE-2024-3242,https://securityvulnerability.io/vulnerability/CVE-2024-3242,Arbitrary File Uploads Vulnerability Affects Brizy Page Builder Plugin,"The Brizy Page Builder plugin for WordPress is susceptible to an arbitrary file upload vulnerability caused by inadequate file extension validation in the 'validateImageContent' function. This vulnerability affects all versions from inception up to and including version 2.4.43. Authenticated attackers with contributor or higher roles could leverage this flaw to upload potentially harmful files to the server, which could lead to remote code execution. The issue is mitigated in version 2.4.44, which prevents the upload of files with .sh and .php extensions, while version 2.4.45 includes a comprehensive fix for this vulnerability.",Wordpress,Brizy – Page Builder,8.8,HIGH,0.0006699999794363976,false,,false,false,false,,false,false,2024-07-18T08:33:03.613Z,0
CVE-2024-1164,https://securityvulnerability.io/vulnerability/CVE-2024-1164,Stored Cross-Site Scripting Vulnerability Affects Brizy Page Builder Plugin,"The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's contact form widget error message and redirect URL in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping on user supplied error messages. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Brizy-page Builder,5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-06-05T07:15:00.000Z,0
CVE-2024-3667,https://securityvulnerability.io/vulnerability/CVE-2024-3667,Stored Cross-Site Scripting Vulnerability Affects Brizy Page Builder Plugin,"The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Link To' field of multiple widgets in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Brizy-page Builder,5.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-06-05T06:15:00.000Z,0
CVE-2024-2087,https://securityvulnerability.io/vulnerability/CVE-2024-2087,Brizy Page Builder Plugin Vulnerable to Stored Cross-Site Scripting,"The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form name values in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Brizy – Page Builder,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-06-05T06:15:00.000Z,0
CVE-2024-1940,https://securityvulnerability.io/vulnerability/CVE-2024-1940,Stored Cross-Site Scripting Vulnerability Affects Brizy Page Builder Plugin,"The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post content in all versions up to, and including, 2.4.41 due to insufficient input sanitization performed only on the client side and insufficient output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Brizy-page Builder,5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-06-05T06:15:00.000Z,0
CVE-2024-1161,https://securityvulnerability.io/vulnerability/CVE-2024-1161,Stored Cross-Site Scripting Vulnerability Affects Brizy Page Builder Plugin,"The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Custom Attributes for blocks in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Brizy – Page Builder,5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-06-05T06:15:00.000Z,0
CVE-2024-3711,https://securityvulnerability.io/vulnerability/CVE-2024-3711,Unauthorized Plugin Setting Update Vulnerability Affects Brizy Page Builder,"The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access or above, to enable/disable the Brizy editor and modify the template used.",Wordpress,Brizy – Page Builder,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-05-23T05:32:15.933Z,0
CVE-2024-1291,https://securityvulnerability.io/vulnerability/CVE-2024-1291,Stored Cross-Site Scripting Vulnerability Affects Brizy Page Builder Plugin,"The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown URL parameter in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Brizy – Page Builder,5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-03-13T15:27:27.025Z,0
CVE-2024-1311,https://securityvulnerability.io/vulnerability/CVE-2024-1311,Arbitrary File Uploads Vulnerability Affects Brizy Page Builder Plugin,"The Brizy Page Builder plugin for WordPress is susceptible to an arbitrary file upload vulnerability stemming from inadequate validation of file types in the storeImages function. This flaw affects all versions up to and including 2.4.40. Authenticated attackers with contributor access or higher can exploit this vulnerability to upload arbitrary files to the server hosting the affected site. Such breaches can result in remote code execution, posing a significant risk to the integrity and security of the web application.",Wordpress,Brizy – Page Builder,8.8,HIGH,0.00044999999227002263,false,,false,false,false,,false,false,2024-03-13T15:27:18.889Z,0
CVE-2024-1293,https://securityvulnerability.io/vulnerability/CVE-2024-1293,Stored Cross-Site Scripting Vulnerability in Brizy Page Builder for WordPress,"The Brizy – Page Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting as a result of inadequate input sanitization and output escaping in the embedded media custom block. This vulnerability enables authenticated attackers with contributor-level access or higher to inject malicious web scripts into pages. These scripts may execute whenever the targeted pages are accessed by users, potentially compromising the security and integrity of the website.",Wordpress,Brizy – Page Builder,5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-03-13T15:26:50.158Z,0
CVE-2024-1296,https://securityvulnerability.io/vulnerability/CVE-2024-1296,Stored Cross-Site Scripting in Brizy Page Builder Plugin for WordPress,"The Brizy Page Builder plugin for WordPress is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to inadequate input sanitization and output escaping on user-supplied attributes. Authenticated attackers with contributor-level permissions and above can exploit this flaw through the plugin's block upload feature, allowing the injection of malicious scripts that execute when other users visit the compromised pages. This vulnerability affects all versions of the plugin up to and including 2.4.40, posing a significant risk to website security.",Wordpress,Brizy – Page Builder,5.4,MEDIUM,0.0006000000284984708,false,,false,false,false,,false,false,2024-03-13T15:26:45.344Z,0
CVE-2024-1165,https://securityvulnerability.io/vulnerability/CVE-2024-1165,Arbitrary File Upload Vulnerability in Brizy Page Builder Plugin,"The Brizy – Page Builder plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.39 via the 'id'. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files to arbitrary locations on the server",Wordpress,Brizy – Page Builder,6.5,MEDIUM,0.0006600000197067857,false,,false,false,false,,false,false,2024-02-26T16:27:00.000Z,0
CVE-2020-36714,https://securityvulnerability.io/vulnerability/CVE-2020-36714,Authorization Bypass Vulnerability in Brizy Page Builder Plugin by WordPress,"The Brizy plugin for WordPress contains a vulnerability that allows for authorization bypass due to an improper capability check in the is_administrator() function. This flaw, present in versions up to and including 1.0.125, could potentially allow authenticated attackers to gain unauthorized access to various AJAX functions within the plugin, leading to manipulation or retrieval of sensitive data.",Wordpress,Brizy – Page Builder,8.1,HIGH,0.0007600000244565308,false,,false,false,false,,false,false,2023-10-20T07:29:23.827Z,0
CVE-2023-2897,https://securityvulnerability.io/vulnerability/CVE-2023-2897,IP Address Spoofing Vulnerability in Brizy Page Builder Plugin for WordPress,"The Brizy Page Builder plugin for WordPress presents a vulnerability characterized by IP Address Spoofing due to an implicit trust of user-supplied IP addresses from the 'X-Forwarded-For' HTTP header. This vulnerability impacts versions up to and including 2.4.18, permitting attackers to bypass maintenance mode protection by submitting a whitelisted IP address in the header. Consequently, this can result in unauthorized access to restricted functionalities and possible exposure of sensitive information.",Wordpress,Brizy – Page Builder,5.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2023-06-09T07:15:00.000Z,0
CVE-2022-2041,https://securityvulnerability.io/vulnerability/CVE-2022-2041,Brizy Page Builder < 2.4.2 - Contributor+ Stored Cross-Site Scripting via Element Content,"The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks",Wordpress,Brizy – Page Builder,5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2022-06-27T08:59:32.000Z,0
CVE-2022-2040,https://securityvulnerability.io/vulnerability/CVE-2022-2040,Brizy Page Builder < 2.4.2 - Contributor+ Stored Cross-Site Scripting via Element URL,"The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks",Wordpress,Brizy – Page Builder,5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2022-06-27T08:59:27.000Z,0
CVE-2021-38346,https://securityvulnerability.io/vulnerability/CVE-2021-38346,Brizy <= 2.3.11 Authenticated Unrestricted File Upload and Path Traversal,"The Brizy Page Builder plugin <= 2.3.11 for WordPress allowed authenticated users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action. The file would be named using the id parameter, which could be prepended with ""../"" to perform directory traversal, and the file contents were populated via the ibsf parameter, which would be base64-decoded and written to the file. While the plugin added a .jpg extension to all uploaded filenames, a double extension attack was still possible, e.g. a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations.",Wordpress,Brizy - Page Builder,8.8,HIGH,0.0009500000160187483,false,,false,false,false,,false,false,2021-10-14T16:15:00.000Z,0
CVE-2021-38345,https://securityvulnerability.io/vulnerability/CVE-2021-38345,Brizy <= 1.0.125 and 1.0.127 – 2.3.11 Incorrect authorization checks allowing Post modification,"The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was found by another researcher in Brizy <= 1.0.125 and fixed in version 1.0.126, but the vulnerability was reintroduced in version 1.0.127.",Wordpress,Brizy - Page Builder,7.1,HIGH,0.000539999979082495,false,,false,false,false,,false,false,2021-10-14T16:15:00.000Z,0
CVE-2021-38344,https://securityvulnerability.io/vulnerability/CVE-2021-38344,Brizy <= 2.3.11 Authenticated Stored Cross-Site Scripting,"The Brizy Page Builder plugin <= 2.3.11 for WordPress was vulnerable to stored XSS by lower-privileged users such as a subscribers. It was possible to add malicious JavaScript to a page by modifying the request sent to update the page via the brizy_update_item AJAX action and adding JavaScript to the data parameter, which would be executed in the session of any visitor viewing or previewing the post or page.",Wordpress,Brizy - Page Builder,6.4,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2021-10-14T16:15:00.000Z,0