Attack Vectors

Brizy Pro (slug: brizy-pro) is affected by a Medium-severity reflected cross-site scripting (XSS) vulnerability (CVSS 6.1) in versions up to and including 2.8.0 (CVE-2025-22763).

This type of issue is commonly exploited through social engineering: an unauthenticated attacker crafts a malicious link and attempts to convince a user (for example, a marketer, site administrator, or other staff member) to click it. If the user clicks and the vulnerable page is triggered, the attacker’s script can run in the context of your website in that user’s browser.

Because the CVSS vector indicates no privileges required and user interaction required (the click), the practical risk often increases during high-traffic campaigns—when more staff and partners are handling links, landing pages, and analytics reviews at speed.

Security Weakness

According to Wordfence, Brizy Pro is vulnerable due to insufficient input sanitization and output escaping. In plain terms, the plugin may accept certain user-supplied input and display it back to a page without properly cleaning it, which can allow injected browser code to be reflected and executed.

The vulnerability is tracked as CVE-2025-22763, with a CVSS score of 6.1 (Medium): CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Remediation: Update Brizy Pro to version 2.8.1 or a newer patched version. Reference source: Wordfence vulnerability record.

Technical or Business Impacts

While reflected XSS is often triggered by a single click, the business impact can be outsized—especially for marketing and revenue teams. If an attacker’s script executes in a staff member’s browser, it can potentially enable actions such as manipulating what the user sees, capturing data the page exposes, or pushing the user toward unintended actions within the site.

For leadership and compliance teams, key risks include:

Brand and customer trust impact: Users redirected or shown altered content may associate the experience with your brand, harming campaign performance and trust.

Operational disruption: Incident response, emergency patching, and campaign pauses can derail launches and create unplanned costs.

Compliance and reporting exposure: If the attack contributes to unauthorized access to personal or business data, you may face notification obligations and audit scrutiny depending on your regulatory environment.

Similar Attacks

Reflected and other forms of XSS have been used in high-profile incidents for years, often spreading quickly once a compelling link or interaction is involved. Examples include:

The “Samy” MySpace worm (an early, widely cited XSS-driven incident that propagated rapidly through user interactions).

Twitter’s 2010 onMouseOver XSS incident (a campaign where users’ interactions caused unintended script execution and widespread impact).