Brizy Page Builder
by WordPress
Source repositories
CVEs (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-3667 | Hig | 0.48 | 7.4 | 0.00 | Jun 5, 2024 | The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Link To' field of multiple widgets in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping on user supplied attributes. This… | ||
| CVE-2024-2087 | Hig | 0.47 | 7.2 | 0.02 | Jun 5, 2024 | The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form name values in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to… | ||
| CVE-2024-1940 | Hig | 0.46 | 7.1 | 0.00 | Jun 5, 2024 | The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post content in all versions up to, and including, 2.4.41 due to insufficient input sanitization performed only on the client side and insufficient output escaping. This makes it… | ||
| CVE-2024-1164 | Med | 0.42 | 6.4 | 0.00 | Jun 5, 2024 | The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's contact form widget error message and redirect URL in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping on user… | ||
| CVE-2024-1291 | Med | 0.42 | 6.4 | 0.00 | Mar 13, 2024 | The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown URL parameter in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated… | ||
| CVE-2024-1937 | Hig | 0.39 | 7.1 | 0.00 | Jul 16, 2024 | The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_item' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor… | ||
| CVE-2024-3711 | Med | 0.28 | 4.3 | 0.00 | May 23, 2024 | The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This… | ||
| CVE-2023-2897 | Low | 0.17 | 3.7 | 0.00 | Jun 9, 2023 | The Brizy Page Builder plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.4.18. This is due to an implicit trust of user-supplied IP addresses in an 'X-Forwarded-For' HTTP header for the purpose of validating allowed IP addresses… | ||
| CVE-2025-4370 | 0.00 | — | 0.00 | Jul 29, 2025 | The Brizy – Page Builder plugin for WordPress is vulnerable to limited file uploads due to missing authorization on process_external_asset_urls function as well as missing path validation in store_file function in all versions up to, and including, 2.6.20. This makes it… | |||
| CVE-2021-38346 | 0.00 | — | 0.04 | Oct 14, 2021 | The Brizy Page Builder plugin <= 2.3.11 for WordPress allowed authenticated users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action. The file would be named using the id parameter, which could be prepended with "../" to… | |||
| CVE-2021-38345 | 0.00 | — | 0.00 | Oct 14, 2021 | The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was… | |||
| CVE-2021-38344 | 0.00 | — | 0.00 | Oct 14, 2021 | The Brizy Page Builder plugin <= 2.3.11 for WordPress was vulnerable to stored XSS by lower-privileged users such as a subscribers. It was possible to add malicious JavaScript to a page by modifying the request sent to update the page via the brizy_update_item AJAX action and… |
- risk 0.48cvss 7.4epss 0.00
The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Link To' field of multiple widgets in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping on user supplied attributes. This…
- risk 0.47cvss 7.2epss 0.02
The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form name values in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to…
- risk 0.46cvss 7.1epss 0.00
The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post content in all versions up to, and including, 2.4.41 due to insufficient input sanitization performed only on the client side and insufficient output escaping. This makes it…
- risk 0.42cvss 6.4epss 0.00
The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's contact form widget error message and redirect URL in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping on user…
- risk 0.42cvss 6.4epss 0.00
The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown URL parameter in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…
- risk 0.39cvss 7.1epss 0.00
The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_item' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor…
- risk 0.28cvss 4.3epss 0.00
The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This…
- risk 0.17cvss 3.7epss 0.00
The Brizy Page Builder plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.4.18. This is due to an implicit trust of user-supplied IP addresses in an 'X-Forwarded-For' HTTP header for the purpose of validating allowed IP addresses…
- CVE-2025-4370Jul 29, 2025risk 0.00cvss —epss 0.00
The Brizy – Page Builder plugin for WordPress is vulnerable to limited file uploads due to missing authorization on process_external_asset_urls function as well as missing path validation in store_file function in all versions up to, and including, 2.6.20. This makes it…
- CVE-2021-38346Oct 14, 2021risk 0.00cvss —epss 0.04
The Brizy Page Builder plugin <= 2.3.11 for WordPress allowed authenticated users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action. The file would be named using the id parameter, which could be prepended with "../" to…
- CVE-2021-38345Oct 14, 2021risk 0.00cvss —epss 0.00
The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was…
- CVE-2021-38344Oct 14, 2021risk 0.00cvss —epss 0.00
The Brizy Page Builder plugin <= 2.3.11 for WordPress was vulnerable to stored XSS by lower-privileged users such as a subscribers. It was possible to add malicious JavaScript to a page by modifying the request sent to update the page via the brizy_update_item AJAX action and…