CVE-2021-38344

Name of the Vulnerable Software and Affected Versions Brizy Page Builder plugin versions <= 2.3.11

Description The issue allows lower-privileged users, such as subscribers, to perform stored XSS attacks. This is achieved by modifying the request sent to update a page via the brizy update item AJAX action and adding malicious JavaScript to the data parameter. The added JavaScript is executed in the session of any visitor who views or previews the post or page.

Recommendations For Brizy Page Builder plugin versions <= 2.3.11, update to a version higher than 2.3.11 to resolve the issue. As a temporary workaround, consider restricting access to the brizy update item AJAX action to prevent exploitation. Additionally, restrict the ability of lower-privileged users to update pages until the issue is resolved.