Brizy WordPress Plugin CVE-2026-5324: Unauthenticated Stored XSS
The Brizy – Page Builder plugin for WordPress, in all versions up to and including 2.8.11, is vulnerable to unauthenticated stored Cross-Site Scripting (XSS), according to the National Vulnerability Database. This isn’t some theoretical flaw; it’s a critical logic error that allows unauthenticated attackers to inject malicious web scripts directly into the system.
The vulnerability stems from a trifecta of poor security practices: missing nonce verification for unauthenticated form submissions, inadequate handling of FileUpload fields when no file is actually uploaded, and the disastrous reversal of security encoding via html_entity_decode() before unescaped output. Essentially, the submit_form() function bypasses nonce checks for non-logged-in users, and handleFileTypeFields() fails to sanitize user-supplied values when no file is attached. While htmlentities() is applied during storage, html_entity_decode() undoes this protection upon display in the admin view, specifically in the form-data.php template which outputs FileUpload values directly into href attributes without proper escaping.
This means an attacker can craft a malicious submission that an administrator will unknowingly execute when viewing the form Leads page. The National Vulnerability Database assigns this a CVSS score of 7.2 (HIGH), highlighting the ease of exploitation (network-adjacent, low complexity, no privileges or user interaction required) and the significant impact on confidentiality and integrity. If you’re running Brizy, this is a glaring hole waiting to be exploited.
What This Means For You
- If your organization uses the Brizy – Page Builder plugin for WordPress, you are exposed to unauthenticated stored XSS. You need to immediately check your Brizy plugin version. If it's 2.8.11 or earlier, update it without delay. Audit your admin logs for any suspicious activity on the form Leads page, as attackers can inject scripts that execute when an administrator views them.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-5324: Brizy Unauthenticated Stored XSS via Form Submission
title: CVE-2026-5324: Brizy Unauthenticated Stored XSS via Form Submission
id: scw-2026-05-02-ai-1
status: experimental
level: high
description: |
This rule detects attempts to exploit CVE-2026-5324 by targeting the Brizy WordPress plugin's unauthenticated form submission endpoint. Attackers can submit malicious data, including script tags, through the 'brizy_submit_form' action in 'admin-ajax.php' without authentication. The vulnerability lies in how the plugin handles file uploads and sanitizes data, allowing stored XSS to be executed when an administrator views the form entries. This rule specifically looks for the vulnerable endpoint and action, assuming POST data inspection is available.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-5324/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/wp-admin/admin-ajax.php'
cs-uri-query|contains:
- 'action=brizy_submit_form'
cs-method|exact:
- 'POST'
# The actual payload would be in the POST body, which is not directly queryable in many log sources.
# This rule assumes the webserver logs include POST body data or a WAF logs it.
# A more robust detection would require WAF logs or application-level logging.
# Example of a potential payload indicator (highly specific and might require tuning):
# body|contains:
# - 'brizy_field_type=fileupload'
# - '<script>'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-5324 | XSS | Brizy – Page Builder plugin for WordPress versions <= 2.8.11 |
| CVE-2026-5324 | XSS | Vulnerable function: submit_form() in api.php:198 (missing nonce verification) |
| CVE-2026-5324 | XSS | Vulnerable function: handleFileTypeFields() (fails to overwrite user-supplied values) |
| CVE-2026-5324 | XSS | Vulnerable file: form-entries.php:79 (html_entity_decode() reverses security encoding) |
| CVE-2026-5324 | XSS | Vulnerable template: form-data.php (outputs FileUpload values directly in href without esc_url()) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 02, 2026 at 12:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7608 — TRENDnet TEW-821DAP Command Injection
CVE-2026-7608 — A vulnerability was detected in TRENDnet TEW-821DAP up to 1.12B01. The affected element is the function tools_diagnostic. The manipulation results in os command...
CVE-2026-4024 — The Royal Addons for Elementor plugin for WordPress is
CVE-2026-4024 — The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the...
ARMember WordPress Plugin Vulnerable to SQL Injection
CVE-2026-7649 — The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL...