{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/brizy--page-builder-plugin--2.8.11/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5324"}],"_cs_exploited":false,"_cs_products":["Brizy – Page Builder plugin \u003c= 2.8.11"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","unauthenticated"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Brizy – Page Builder plugin for WordPress, a popular tool for designing website pages, contains a critical vulnerability that allows unauthenticated users to inject malicious JavaScript code. Specifically, versions up to and including 2.8.11 are affected. This vulnerability arises from a combination of factors, including the lack of nonce verification for form submissions from non-logged-in users, inadequate handling of FileUpload fields when no file is actually uploaded, and the unintended reversal of security encoding through \u003ccode\u003ehtml_entity_decode()\u003c/code\u003e before outputting data. This allows attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator viewing the form\u0026rsquo;s \u0026ldquo;Leads\u0026rdquo; page, potentially leading to account takeover, data theft, or further compromise of the WordPress site.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious payload containing JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker submits this payload through a Brizy form on the WordPress site, exploiting the missing nonce verification in the \u003ccode\u003esubmit_form()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandleFileTypeFields()\u003c/code\u003e function fails to properly sanitize or overwrite the attacker-supplied values when no file is attached to the form submission.\u003c/li\u003e\n\u003cli\u003eThe injected payload, now stored in the WordPress database, bypasses initial \u003ccode\u003ehtmlentities()\u003c/code\u003e encoding due to later \u003ccode\u003ehtml_entity_decode()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn administrator logs into the WordPress dashboard and navigates to the \u0026ldquo;Leads\u0026rdquo; page to view form submissions.\u003c/li\u003e\n\u003cli\u003eThe form-data.php template retrieves the stored malicious payload from the database.\u003c/li\u003e\n\u003cli\u003eThe payload is outputted directly within the \u003ccode\u003ehref\u003c/code\u003e attribute of an HTML element without proper escaping using \u003ccode\u003eesc_url()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code executes within the administrator\u0026rsquo;s browser, potentially performing actions such as stealing cookies or redirecting the administrator to a malicious site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a logged-in administrator\u0026rsquo;s browser. This could lead to a full compromise of the WordPress site, including the ability to create new administrative accounts, modify existing content, inject malware into the site\u0026rsquo;s pages, or steal sensitive data. The impact is significant, as it requires no user interaction beyond an administrator viewing the form submissions within the Brizy plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Brizy – Page Builder plugin to the latest version to patch CVE-2026-5324.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Brizy WordPress Plugin XSS Attempt via HTTP Request\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eform-data.php\u003c/code\u003e template and implement proper output escaping using \u003ccode\u003eesc_url()\u003c/code\u003e for all user-supplied data to prevent XSS, as mentioned in the vulnerability description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-brizy-xss/","summary":"The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.8.11, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page due to missing nonce verification and improper handling of file upload fields.","title":"Brizy WordPress Plugin Unauthenticated Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-brizy-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Brizy – Page Builder Plugin \u003c= 2.8.11","version":"https://jsonfeed.org/version/1.1"}