CVE-2024-6254

Name of the Vulnerable Software and Affected Versions: Brizy – Page Builder plugin for WordPress versions up to, and including, 2.5.1

Description: The issue is due to missing or incorrect nonce validation on form submissions, making it possible for unauthenticated attackers to submit forms intended for public use as another user via a forged request. This can happen if an attacker can trick a site administrator into performing an action such as clicking on a link. On sites where unfiltered html is enabled, this can lead to the admin unknowingly adding a Stored Cross-Site Scripting payload.

Recommendations: For versions up to, and including, 2.5.1, update to a version that includes the fix for the missing or incorrect nonce validation issue. As a temporary workaround, consider restricting access to form submissions to minimize the risk of exploitation. Additionally, disabling unfiltered html on sites where it is not necessary can help prevent the addition of Stored Cross-Site Scripting payloads.