CVE-2026-5324 Overview
CVE-2026-5324 is an unauthenticated stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Brizy – Page Builder plugin for WordPress. The flaw affects all plugin versions up to and including 2.8.11. Unauthenticated attackers can submit crafted form data that stores malicious JavaScript, which executes when an administrator views the form Leads page in the WordPress admin dashboard. The vulnerability stems from missing nonce verification, insufficient handling of FileUpload fields, and the reversal of HTML entity encoding before output.
Critical Impact
Unauthenticated attackers can inject arbitrary scripts that execute in the administrator's browser session, enabling session theft, account takeover, and arbitrary actions performed with administrator privileges.
Affected Products
- Brizy – Page Builder plugin for WordPress, all versions through 2.8.11
- WordPress sites using Brizy form widgets to collect submissions
- Administrator accounts viewing the Brizy form Leads page
Discovery Timeline
- 2026-05-02 - CVE-2026-5324 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-5324
Vulnerability Analysis
The Brizy plugin exposes a public form submission endpoint that fails to enforce request authenticity for unauthenticated users. The submit_form() function in editor/forms/api.php at line 198 skips nonce verification when the requester is not logged in. This allows any remote actor to send crafted submissions to the plugin's form handler.
When a form contains a FileUpload field, the handleFileTypeFields() function does not overwrite user-supplied values when no file is attached. An attacker can therefore supply arbitrary text in place of a file path, including JavaScript payloads embedded in attributes such as javascript: URIs.
The stored data is encoded with htmlentities() at write time, but the admin-side renderer in admin/form-entries.php at line 79 calls html_entity_decode() on the values before display. The admin/views/form-data.php template then emits the decoded FileUpload value directly inside an href attribute without applying esc_url(). The combined result is reflective decoding plus unescaped output in the administrator's browser.
Root Cause
The root cause is a defense-in-depth failure across three locations: missing CSRF protection on the public submission path, missing field sanitization for empty FileUpload inputs, and incorrect output escaping that reverses prior encoding. Each weakness alone is recoverable, but combined they produce a stored XSS chain.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction beyond an administrator later viewing the Leads page. An attacker submits a form on any page hosting a Brizy form, supplies an XSS payload in a FileUpload field with no actual file, and waits for an administrator to open the form entries view. The script then executes in the administrator's authenticated session context.
Detection Methods for CVE-2026-5324
Indicators of Compromise
- Form submission entries containing HTML tags, javascript: URIs, or event handler attributes such as onerror= or onclick= in FileUpload fields
- POST requests to the Brizy form API endpoint from unauthenticated sources without a valid nonce parameter
- Unexpected outbound requests originating from administrator browser sessions after viewing the form Leads page
- Database entries in the Brizy form storage tables containing encoded script payloads
Detection Strategies
- Inspect WordPress database tables that store Brizy form submissions for entries containing <script, javascript:, or HTML event handlers
- Review web server access logs for POST requests to Brizy form submission endpoints originating from suspicious IP addresses
- Audit administrator browser telemetry for anomalous JavaScript execution coinciding with visits to the Brizy Leads admin page
- Correlate WordPress audit logs with new administrator account creation or privilege changes following Leads page access
Monitoring Recommendations
- Enable verbose logging on the WordPress admin interface and forward events to a centralized SIEM for correlation
- Monitor for new or modified administrator users, plugin installations, and theme file changes after form submissions
- Apply a web application firewall rule that inspects Brizy form submission payloads for script-injection patterns
- Track outbound requests from admin sessions to unfamiliar domains, which may indicate cookie exfiltration
How to Mitigate CVE-2026-5324
Immediate Actions Required
- Update the Brizy – Page Builder plugin to version 2.8.12 or later on every WordPress site in your estate
- Review existing form entries for malicious content and purge any submissions containing script payloads before opening the Leads page
- Rotate WordPress administrator passwords and invalidate active sessions if the Leads page was accessed prior to patching
- Audit administrator accounts and installed plugins for unauthorized changes that may indicate prior exploitation
Patch Information
The vendor addressed this vulnerability in Brizy version 2.8.12. The fix is documented in the WordPress Brizy Code Changeset and the WordPress Brizy Version Change Details. Additional context is available in the Wordfence Vulnerability Report.
Workarounds
- Deactivate the Brizy plugin until the patched version is deployed if immediate updating is not possible
- Remove or disable Brizy form widgets that contain FileUpload fields to break the injection path
- Restrict access to the WordPress admin Leads page using IP allowlists at the web server or WAF layer
- Deploy a Content Security Policy that disallows inline script execution in the WordPress admin interface
# Update Brizy plugin via WP-CLI to the patched version
wp plugin update brizy --version=2.8.12
# Verify the installed version
wp plugin get brizy --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

