Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themefusecom Brizy brizy.This issue affects Brizy: from n/a through <= 2.7.7.
Published: 2025-04-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject unsanitized JavaScript into webpages served by a WordPress site that uses the Brizy plugin. The CVE data does not explicitly state that an attacker must supply or manipulate plugin content, but it is inferred that malicious input through the plugin’s input mechanisms or manipulated request parameters would be required for exploitation. This can enable phishing, credential theft, or defacement if control over script insertion is achieved.

Affected Systems

Affected products are the Brizy page builder plugin from themefuse.com, version 2.7.7 and all earlier releases. The vulnerability exists in both the free WordPress distribution and the premium edition of the plugin. WordPress sites that have installed these or earlier releases are vulnerable unless upgraded.

Risk and Exploitability

Risk is moderate with a CVSS score of 6.5. The EPSS score is below 1 %, indicating that exploitation is considered uncommon at present, and the vulnerability is not listed in CISA KEV. The CVE does not explicitly state that exploitation requires the ability to supply or modify content within the plugin, but it is inferred that such capabilities might be necessary and may be limited to users with editing or administrative rights. Based on the description, it is inferred that there is no remote unilateral exploitation vector, which would limit immediate impact; however, if malicious scripts are injected, widespread user compromise could occur.

Generated by OpenCVE AI on May 2, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Brizy plugin to version 2.7.8 or later
  • Inspect all existing content for injected scripts and remove them
  • Enable stricter input sanitization or install a security plugin that blocks malicious JavaScript

Generated by OpenCVE AI on May 2, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10470 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themefusecom Brizy. This issue affects Brizy: from n/a through 2.6.14.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themefusecom Brizy. This issue affects Brizy: from n/a through 2.6.14. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themefusecom Brizy brizy.This issue affects Brizy: from n/a through <= 2.7.7.
Title WordPress Brizy plugin <= 2.6.14 - Cross Site Scripting (XSS) vulnerability WordPress Brizy plugin <= 2.7.7 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 07 Aug 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Brizy
Brizy brizy
CPEs cpe:2.3:a:brizy:brizy:*:*:*:*:free:wordpress:*:*
Vendors & Products Brizy
Brizy brizy

Thu, 10 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 10 Apr 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themefusecom Brizy. This issue affects Brizy: from n/a through 2.6.14.
Title WordPress Brizy plugin <= 2.6.14 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Brizy Brizy
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:18.792Z

Reserved: 2025-04-04T10:01:28.633Z

Link: CVE-2025-32198

cve-icon Vulnrichment

Updated: 2025-04-10T13:07:03.588Z

cve-icon NVD

Status : Modified

Published: 2025-04-10T08:15:17.017

Modified: 2026-04-23T15:28:44.547

Link: CVE-2025-32198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:30:25Z

Weaknesses