CVE-2021-38344: 
WordPress vulnerability analysis and mitigation

The Brizy Page Builder plugin version 2.3.11 and earlier for WordPress contained a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2021-38344. The vulnerability was discovered by researcher Ramuel Gall and disclosed on October 13, 2021. This security flaw allowed lower-privileged users, such as subscribers, to inject malicious JavaScript into web pages through the brizyupdateitem AJAX action (Wordfence, Threatpost).

The vulnerability received a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue stems from improper input validation in the data parameter of the brizyupdateitem AJAX action. Attackers could exploit this by modifying the request sent to update a page, allowing them to inject malicious JavaScript that would execute in the session of any visitor viewing or previewing the affected post or page (NVD).

When exploited, this vulnerability allows attackers to inject malicious scripts that execute when users view or preview affected pages. The stored XSS nature of the vulnerability means that the malicious code persists in the page content and executes automatically when users access the compromised page. This could lead to session hijacking, credential theft, or other malicious actions performed in the context of the visiting user's session (Threatpost).

The vulnerability was patched in version 2.3.17 of the Brizy Page Builder plugin. Site administrators are strongly advised to update to this version or later to protect against potential attacks (Threatpost).