CVE-2026-5324
Deferred Deferred - Pending Action
Brizy Page Builder WordPress Plugin Unauthenticated Stored XSS

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when no file is uploaded, and the reversal of security encoding via html_entity_decode() followed by unescaped output in the admin view. The submit_form() function skips nonce verification for non-logged-in users (api.php:198). The handleFileTypeFields() function fails to overwrite user-supplied values when no file is attached. While htmlentities() is applied during storage, html_entity_decode() reverses this on display (form-entries.php:79). The form-data.php template outputs FileUpload values directly in href attributes without esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5324
EUVD
EUVD-2026-26764
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
brizy page_builder to 2.8.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the vulnerability in the Brizy – Page Builder plugin impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The Brizy – Page Builder plugin for WordPress has a vulnerability known as Unauthenticated Stored Cross-Site Scripting (XSS) in all versions up to and including 2.8.11.

This vulnerability arises because the plugin does not verify nonces for unauthenticated form submissions, mishandles FileUpload fields when no file is uploaded, and reverses security encoding by using html_entity_decode() followed by unescaped output in the admin view.

Specifically, the submit_form() function skips nonce verification for users who are not logged in, the handleFileTypeFields() function fails to overwrite user-supplied values if no file is attached, and while htmlentities() is applied when storing data, html_entity_decode() reverses this on display.

Additionally, the form-data.php template outputs FileUpload values directly in href attributes without proper escaping (esc_url()), allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page.

Impact Analysis

This vulnerability allows unauthenticated attackers to inject malicious scripts that execute in the context of an administrator's browser when they view the form Leads page.

The impact includes potential compromise of administrator accounts, theft of sensitive information, and unauthorized actions performed with administrator privileges.

Because the vulnerability has a CVSS v3.1 base score of 7.2 with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts confidentiality and integrity, it represents a significant security risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5324. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart