CVE-2024-3667 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Brizy – Page Builder plugin for WordPress developed by themefusecom. This vulnerability affects all versions up to and including 2.4.43. The root cause is insufficient sanitization and escaping of user-supplied input in the 'Link To' field of multiple widgets, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently in the page content, it executes automatically whenever any user accesses the infected page, without requiring further interaction. The vulnerability has a CVSS 3.1 base score of 7.4, reflecting its high severity, with an attack vector of network, low attack complexity, requiring privileges (authenticated contributor or above), no user interaction, and scope change. The impact includes partial loss of confidentiality, integrity, and availability, as attackers can steal session tokens, deface content, or perform actions on behalf of other users. Although no known exploits are currently reported in the wild, the vulnerability poses a significant threat to WordPress sites using this plugin, especially those with multiple contributors. The vulnerability was publicly disclosed on June 5, 2024, and no official patches have been linked yet, emphasizing the need for immediate mitigation.

The impact of CVE-2024-3667 is substantial for organizations running WordPress sites with the Brizy – Page Builder plugin. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts, which execute in the context of any user viewing the compromised page. This can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, and potential spread of malware or phishing content. The compromise of user sessions can escalate privileges or lead to data theft, impacting confidentiality and integrity. Availability may also be affected if injected scripts disrupt site functionality or cause crashes. Given WordPress’s widespread use globally, especially in small to medium businesses, blogs, and e-commerce, this vulnerability can facilitate targeted attacks or broad exploitation campaigns. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but the low complexity and lack of user interaction needed increase risk. Organizations may face reputational damage, regulatory penalties, and operational disruption if exploited.

To mitigate CVE-2024-3667, organizations should first check for and apply any official patches or updates from the Brizy – Page Builder plugin vendor as soon as they become available. Until patches are released, administrators should restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious input patterns in the 'Link To' field can help prevent exploitation attempts. Site administrators should also enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly scanning the site for injected scripts or unusual content in pages and widgets is critical to detect and remediate infections early. Additionally, educating contributors about safe input practices and monitoring logs for anomalous behavior can reduce risk. Finally, consider temporarily disabling or replacing the Brizy plugin if the risk is unacceptable and no patch is available.