The plugin does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
As a contributor or above, create a post using Brizy editor and:
- Add a Text Element then put the following payload: <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
- Add an Embed Element and put the following payload as embed data: <script>alert("XSS")</script>
The XSS will be triggered when viewing/previewing the post (for example when an admin reviews it)