CVE-2024-1940 HIGH

CVE-2024-1940: Brizy – Page Builder <= 2.4.41 - Authenticated(Contributor+) Stored Cross-Site Scripting

Vendor Themefusecom

Product Brizy – Page Builder

Weakness CWE-79 · XSS

Published June 5, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post content in all versions up to, and including, 2.4.41 due to insufficient input sanitization performed only on the client side and insufficient output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Key dates

02Disclosure timeline

June 5, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-1940

Related vulnerabilities

04Related CVE

CVE-2024-35146 IBM Maximo Application Suite cross-site scripting CVE-2019-1838 Cisco Application Policy Infrastructure Controller Web-Based Management Interface Cross-Site Scripting Vulnerability CVE-2025-53824 WeGIA ReflectedCross-Site Scripting (XSS) vulnerability in endpoint 'cadastro_pet.php' parameter 'msg' CVE-2024-33934 WordPress Mini Loops plugin <= 1.4.1 - Cross Site Scripting (XSS) vulnerability CVE-2025-22718 WordPress FAT Event Lite plugin <= 1.1 - Cross Site Scripting (XSS) vulnerability