Cyber Resilience

CVE-2026-5324

High

Published: 02 May 2026

Published
02 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0017 38.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5324 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-5324 is an unauthenticated stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the Brizy – Page Builder plugin for WordPress, affecting all versions up to and including 2.8.11. The flaw stems from multiple issues: the submit_form() function in api.php skips nonce verification for non-logged-in users (line 198), the handleFileTypeFields() function inadequately handles user-supplied values for FileUpload fields when no file is attached (api.php line 295), and security encoding applied via htmlentities() during storage is reversed by html_entity_decode() on display (form-entries.php line 79), followed by unescaped output of FileUpload values in href attributes within the form-data.php template (line 11). The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Unauthenticated attackers can exploit this by submitting malicious form data without authentication, injecting arbitrary web scripts that are stored in the database. The payloads execute in an administrator's browser when they access the form Leads page in the plugin's admin interface, potentially leading to low-level confidentiality and integrity impacts such as session hijacking or data theft, given the changed scope.

Vulnerable code locations are documented in the WordPress plugin trac repository, including admin/form-entries.php (line 79), admin/views/form-data.php (line 11), editor/forms/api.php (lines 198 and 295), and the trunk version of admin/views/form-data.php (line 11).

EU & UK References

Vulnerability details

The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of…

more

FileUpload fields when no file is uploaded, and the reversal of security encoding via html_entity_decode() followed by unescaped output in the admin view. The submit_form() function skips nonce verification for non-logged-in users (api.php:198). The handleFileTypeFields() function fails to overwrite user-supplied values when no file is attached. While htmlentities() is applied during storage, html_entity_decode() reverses this on display (form-entries.php:79). The form-data.php template outputs FileUpload values directly in href attributes without esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Unauthenticated stored XSS in public-facing WordPress plugin form submission directly enables T1190 (exploiting public-facing app via malicious input) and facilitates T1059.007 (arbitrary JavaScript execution in admin browser context for session hijacking/data theft).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation and sanitization of unauthenticated form inputs, including FileUpload fields, to block malicious script injection during submit_form() and handleFileTypeFields() processing.

prevent

Requires output filtering and encoding, such as esc_url() for href attributes, to prevent XSS execution from decoded FileUpload values displayed in admin form-data.php and form-entries.php.

prevent

Mandates timely flaw remediation, including patching the Brizy plugin to versions beyond 2.8.11 that fix the nonce, input handling, and output encoding issues in CVE-2026-5324.

References