CVE-2024-6254 is a vulnerability classified under CWE-20 (Improper Input Validation) affecting the Brizy – Page Builder plugin for WordPress, versions up to and including 2.5.1. The root cause is the absence or incorrect implementation of nonce validation on form submissions, which are security tokens designed to prevent CSRF attacks. Without proper nonce checks, attackers can craft malicious requests that appear legitimate to the server and trick authenticated administrators into executing unintended actions by clicking on a specially crafted link or visiting a malicious page. This vulnerability is particularly dangerous on WordPress sites where the unfiltered_html capability is enabled, as it allows attackers to inject stored Cross-Site Scripting payloads. Stored XSS can lead to persistent script execution in the context of the admin user, potentially compromising site integrity, stealing credentials, or performing further malicious actions. The CVSS v3.1 base score is 4.3, reflecting a medium severity level, with an attack vector of network, low attack complexity, no privileges required, but requiring user interaction. No public exploits have been reported yet, but the vulnerability poses a significant risk to sites using the affected plugin versions, especially those with relaxed content filtering settings.

The primary impact of this vulnerability is the potential for unauthorized actions to be performed on behalf of an administrator via CSRF, which can lead to unauthorized content changes or configuration modifications. On sites with unfiltered_html enabled, the risk escalates to stored XSS, which can compromise the confidentiality and integrity of the site by enabling persistent malicious script execution in the admin context. This can lead to credential theft, session hijacking, or further compromise of the WordPress installation. The availability impact is minimal as the vulnerability does not directly cause denial of service. However, the reputational damage and potential data breaches resulting from exploitation can be significant. Organizations relying on Brizy – Page Builder for content management are at risk, particularly those with high administrative privileges and relaxed content filtering. The vulnerability affects all sites using vulnerable versions, regardless of size or industry, but those with high-value targets or sensitive data are at greater risk.

Organizations should immediately update the Brizy – Page Builder plugin to a version that includes proper nonce validation once available. Until a patch is released, administrators should disable or restrict the plugin's form submission features, especially on sites with unfiltered_html enabled. Implementing strict content filtering to disable unfiltered_html capability for non-trusted users can reduce the risk of stored XSS. Additionally, administrators should be trained to avoid clicking on suspicious links and to verify the authenticity of requests related to site administration. Employing Web Application Firewalls (WAFs) with rules to detect and block CSRF attempts targeting the plugin's endpoints can provide temporary protection. Regular security audits and monitoring for unusual administrative actions or injected scripts are recommended. Finally, limiting the number of users with administrative privileges reduces the attack surface.