CVE-2026-5324
published 2026-05-02CVE-2026-5324: The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is…
PriorityP344high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
EPSS
0.40%
31.9th percentile
The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when no file is uploaded, and the reversal of security encoding via html_entity_decode() followed by unescaped output in the admin view. The submit_form() function skips nonce verification for non-logged-in users (api.php:198). The handleFileTypeFields() function fails to overwrite user-supplied values when no file is attached. While htmlentities() is applied during storage, html_entity_decode() reverses this on display (form-entries.php:79). The form-data.php template outputs FileUpload values directly in href attributes without esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themefusecom | brizy_page_builder | <= 2.8.11 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
themefusecom Brizy Plugin up to 2.8.11 on WordPress FileUpload api.php html_entity_decode cross site scripting (EUVD-2026-26764)
vuldb·2026-05-02·CVSS 7.2
CVE-2026-5324 [HIGH] themefusecom Brizy Plugin up to 2.8.11 on WordPress FileUpload api.php html_entity_decode cross site scripting (EUVD-2026-26764)
A vulnerability described as problematic has been identified in themefusecom Brizy Plugin up to 2.8.11 on WordPress. Affected by this issue is the function html_entity_decode of the file api.php of the component FileUpload Handler. The manipulation results in cross site scripting.
This vulnerability is cataloged as CVE-2026-5324. The attack may be launched remotely. There is no exploit available.
Upgrading the affected component is recommended.
GHSA
GHSA-p8xr-fh24-8289: The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2
ghsa_unreviewed·2026-05-02
CVE-2026-5324 [HIGH] CWE-79 GHSA-p8xr-fh24-8289: The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2
The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when no file is uploaded, and the reversal of security encoding via html_entity_decode() followed by unescaped output in the admin view. The submit_form() function skips nonce verification for non-logged-in users (api.php:198). The handleFileTypeFields() function fails to overwrite user-supplied values when no file is attached. While htmlentities() is applied during storage, html_entity_decode() reverses this on display (form-entries.php:79). The form-data.php template outputs FileUpload values directly
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/brizy/tags/2.7.24/admin/form-entries.php#L79https://plugins.trac.wordpress.org/browser/brizy/tags/2.7.24/admin/views/form-data.php#L11https://plugins.trac.wordpress.org/browser/brizy/tags/2.7.24/editor/forms/api.php#L198https://plugins.trac.wordpress.org/browser/brizy/tags/2.7.24/editor/forms/api.php#L295https://plugins.trac.wordpress.org/browser/brizy/trunk/admin/views/form-data.php#L11https://plugins.trac.wordpress.org/changeset/3502206/brizy/trunk/admin/views/form-data.phphttps://plugins.trac.wordpress.org/changeset?old_path=%2Fbrizy/tags/2.8.11&new_path=%2Fbrizy/tags/2.8.12https://www.wordfence.com/threat-intel/vulnerabilities/id/78ec499e-5edd-4f11-9090-f79868864fee?source=cve
2026-05-02
Published