CVE-2024-1296 is a stored cross-site scripting (XSS) vulnerability identified in the Brizy – Page Builder plugin for WordPress, affecting all versions up to and including 2.4.40. The root cause is improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied attributes in the plugin's block upload functionality. This flaw allows authenticated attackers with contributor-level or higher permissions to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, requiring only low complexity and no user interaction, but it does require authentication with contributor or higher privileges. The scope is considered changed (S:C) because the vulnerability affects components beyond the attacker’s privileges, impacting other users. The confidentiality and integrity impacts are low, while availability is unaffected. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The lack of patch links suggests that users must monitor vendor updates closely or apply manual mitigations. This vulnerability highlights the risks of insufficient input validation in content management plugins, especially those allowing user-generated content with elevated privileges.

The primary impact of CVE-2024-1296 is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any users who view those pages. This can lead to session hijacking, theft of sensitive information such as cookies or tokens, unauthorized actions performed on behalf of users (including administrators), and potential privilege escalation. Although the confidentiality and integrity impacts are rated low, the scope change means that the attacker can affect users beyond their own privileges, increasing risk. The vulnerability does not affect availability, so denial-of-service is unlikely. Organizations using the Brizy – Page Builder plugin on public-facing WordPress sites are at risk of reputational damage, data leakage, and unauthorized access if exploited. The requirement for authenticated contributor-level access limits exposure to some degree but does not eliminate risk, especially in environments with multiple users or weak access controls. The absence of known exploits in the wild reduces immediate threat but does not preclude future attacks. Overall, this vulnerability can facilitate targeted attacks against WordPress sites, especially those with multiple contributors or less stringent user management.

To mitigate CVE-2024-1296, organizations should first check for and apply any official patches or updates released by the themefusecom vendor for the Brizy – Page Builder plugin. If no patch is available, administrators should consider temporarily disabling the plugin or restricting contributor-level permissions to trusted users only. Implement strict user role management and audit contributor activities to detect suspicious behavior. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads, particularly those targeting the plugin’s block upload feature. Additionally, enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly scan WordPress installations with security plugins that can detect stored XSS attempts or anomalous content injections. Educate contributors about safe content practices and the risks of uploading untrusted content. Finally, monitor security advisories from the plugin vendor and WordPress security communities for updates or exploit reports.