The plugin does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
As a contributor or above, create a post using Brizy editor and: - Add a Text Element then put the following payload: - Add an Embed Element and put the following payload as embed data: The XSS will be triggered when viewing/previewing the post (for example when an admin reviews it)