CVE-2026-5324
Published: 02 May 2026
Summary
CVE-2026-5324 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-5324 is an unauthenticated stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the Brizy – Page Builder plugin for WordPress, affecting all versions up to and including 2.8.11. The flaw stems from multiple issues: the submit_form() function in api.php skips nonce verification for non-logged-in users (line 198), the handleFileTypeFields() function inadequately handles user-supplied values for FileUpload fields when no file is attached (api.php line 295), and security encoding applied via htmlentities() during storage is reversed by html_entity_decode() on display (form-entries.php line 79), followed by unescaped output of FileUpload values in href attributes within the form-data.php template (line 11). The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated attackers can exploit this by submitting malicious form data without authentication, injecting arbitrary web scripts that are stored in the database. The payloads execute in an administrator's browser when they access the form Leads page in the plugin's admin interface, potentially leading to low-level confidentiality and integrity impacts such as session hijacking or data theft, given the changed scope.
Vulnerable code locations are documented in the WordPress plugin trac repository, including admin/form-entries.php (line 79), admin/views/form-data.php (line 11), editor/forms/api.php (lines 198 and 295), and the trunk version of admin/views/form-data.php (line 11).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26764
Vulnerability details
The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of…
more
FileUpload fields when no file is uploaded, and the reversal of security encoding via html_entity_decode() followed by unescaped output in the admin view. The submit_form() function skips nonce verification for non-logged-in users (api.php:198). The handleFileTypeFields() function fails to overwrite user-supplied values when no file is attached. While htmlentities() is applied during storage, html_entity_decode() reverses this on display (form-entries.php:79). The form-data.php template outputs FileUpload values directly in href attributes without esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated stored XSS in public-facing WordPress plugin form submission directly enables T1190 (exploiting public-facing app via malicious input) and facilitates T1059.007 (arbitrary JavaScript execution in admin browser context for session hijacking/data theft).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation and sanitization of unauthenticated form inputs, including FileUpload fields, to block malicious script injection during submit_form() and handleFileTypeFields() processing.
Requires output filtering and encoding, such as esc_url() for href attributes, to prevent XSS execution from decoded FileUpload values displayed in admin form-data.php and form-entries.php.
Mandates timely flaw remediation, including patching the Brizy plugin to versions beyond 2.8.11 that fix the nonce, input handling, and output encoding issues in CVE-2026-5324.