CVE-2024-1940: 
WordPress vulnerability analysis and mitigation

The Brizy – Page Builder plugin for WordPress (CVE-2024-1940) contains a Stored Cross-Site Scripting vulnerability affecting all versions up to and including 2.4.41. The vulnerability was discovered due to insufficient input sanitization performed only on the client side and inadequate output escaping (NVD).

The vulnerability stems from improper input sanitization that is only performed on the client side, combined with insufficient output escaping. This security flaw has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 7.1 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows authenticated attackers with contributor access or higher privileges to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

Users should upgrade to a version newer than 2.4.41 of the Brizy – Page Builder plugin to address this vulnerability (NVD).