Description
The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when no file is uploaded, and the reversal of security encoding via html_entity_decode() followed by unescaped output in the admin view. The submit_form() function skips nonce verification for non-logged-in users (api.php:198). The handleFileTypeFields() function fails to overwrite user-supplied values when no file is attached. While htmlentities() is applied during storage, html_entity_decode() reverses this on display (form-entries.php:79). The form-data.php template outputs FileUpload values directly in href attributes without esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page.
Published: 2026-05-02
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Brizy – Page Builder plugin for WordPress contains a flaw that allows unauthenticated users to store malicious script code in the FileUpload field of form entries. Because the plugin removes nonce verification for form submissions that are not logged in, fails to overwrite user supplied values when no file is present, and then reverses HTML entity encoding with html_entity_decode() before rendering the value in an admin link, an attacker can plant arbitrary JavaScript. When an administrator later navigates to the form Leads page the script executes in the admin context, potentially leading to credential theft, defacement, or further attacks. This vulnerability is a classic case of stored cross‑site scripting (CWE‑79).

Affected Systems

The vulnerable product is the WordPress plugin Brizy – Page Builder, versions up to and including 2.8.11. The plugin can be installed on any WordPress site that uses these versions, regardless of the underlying operating system or WordPress version.

Risk and Exploitability

The CVSS base score of 7.2 designates this flaw as a high‑severity stored XSS. With no authentication required, the attack vector is remote via standard HTTP requests to the form submission endpoint. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV database, there is no current evidence of exploitation in the wild, but the lack of security controls makes it straightforward for an attacker to craft a malicious post and force a site administrator to load a page that runs the payload. Consequently, the risk to any WordPress site that has this plugin installed is significant, especially if administrative users are logged in or the site is exposed to the internet.

Generated by OpenCVE AI on May 2, 2026 at 09:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Brizy – Page Builder plugin to version 2.8.12 or later to receive the fix for the stored XSS vulnerability.
  • If an immediate upgrade is not possible, disable public form submissions or restrict them to authenticated users only by disabling the affected form feature.
  • As a temporary workaround, edit the plugin’s form-data.php file to escape FileUpload field values in the admin view using esc_url() before outputting them in href attributes.

Generated by OpenCVE AI on May 2, 2026 at 09:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when no file is uploaded, and the reversal of security encoding via html_entity_decode() followed by unescaped output in the admin view. The submit_form() function skips nonce verification for non-logged-in users (api.php:198). The handleFileTypeFields() function fails to overwrite user-supplied values when no file is attached. While htmlentities() is applied during storage, html_entity_decode() reverses this on display (form-entries.php:79). The form-data.php template outputs FileUpload values directly in href attributes without esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page.
Title Brizy – Page Builder <= 2.8.11 - Unauthenticated Stored Cross-Site Scripting via FileUpload Field Value
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T08:27:05.238Z

Reserved: 2026-04-01T13:14:12.888Z

Link: CVE-2026-5324

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T09:16:22.477

Modified: 2026-05-02T09:16:22.477

Link: CVE-2026-5324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:00:06Z

Weaknesses