The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when no file is uploaded, and the reversal of security encoding via html_entity_decode() followed by unescaped output in the admin view. The submit_form() function skips nonce verification for non-logged-in users (api.php:198). The handleFileTypeFields() function fails to overwrite user-supplied values when no file is attached. While htmlentities() is applied during storage, html_entity_decode() reverses this on display (form-entries.php:79). The form-data.php template outputs FileUpload values directly in href attributes without esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page.
The Brizy Page Builder WordPress plugin versions up to 2.8.11 contain an unauthenticated stored XSS vulnerability allowing attackers to inject malicious scripts through form submissions. The vulnerability exploits missing nonce verification, improper file upload handling, and unsafe HTML decoding that reverses security encoding.
تحتوي إضافة Brizy Page Builder على ثغرة حقن برامج نصية مخزنة تسمح للمهاجمين غير المصرح لهم بإدراج رموز خبيثة عبر نماذج الويب. تنتج الثغرة عن عدم التحقق من الرموز الأمنية (nonce) وعدم معالجة صحيحة لحقول تحميل الملفات وعكس ترميز الأمان باستخدام html_entity_decode().
Brizy Page Builder plugin for WordPress up to version 2.8.11 is vulnerable to stored cross-site scripting attacks from unauthenticated users. Attackers can inject malicious code through form submissions due to inadequate security checks and improper handling of encoded content.
Update Brizy Page Builder plugin to version 2.8.12 or later immediately. Implement Web Application Firewall (WAF) rules to detect and block XSS payloads. Disable the plugin if immediate patching is not possible. Review and sanitize all user input handling in custom forms. Enable WordPress security headers including Content-Security-Policy.
قم بتحديث إضافة Brizy Page Builder إلى الإصدار 2.8.12 أو أحدث فوراً. طبق قواعد جدار حماية تطبيقات الويب للكشف عن حقن البرامج النصية. عطل الإضافة إذا لم يكن التحديث ممكناً فوراً. راجع وتنظيف جميع معالجات إدخال المستخدمين في النماذج المخصصة. فعّل رؤوس أمان WordPress بما فيها Content-Security-Policy.