Overview
A High-severity stored cross-site scripting (XSS) vulnerability has been disclosed in the Brizy – Page Builder plugin for WordPress. Tracked as CVE-2026-5324 with a CVSS score of 7.2, the flaw allows unauthenticated attackers to inject persistent JavaScript into WordPress pages by exploiting missing nonce verification and improper handling of file upload fields in publicly accessible forms.
Vulnerability Details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-5324 |
| CVSS Score | 7.2 (High) |
| Affected Versions | Brizy – Page Builder ≤ 2.8.11 |
| Vulnerability Type | Unauthenticated Stored Cross-Site Scripting (XSS) |
| Published | 2026-05-02 |
| Source | NVD / NIST |
Technical Root Cause
The vulnerability arises from two compounding weaknesses in the Brizy Page Builder plugin:
- Missing nonce verification on unauthenticated form submission endpoints — the plugin fails to validate CSRF nonces before processing form data submitted by anonymous users.
- Insufficient sanitization of
FileUploadfield values — when no proper input filtering is applied to file-related form fields, an attacker can craft payloads that persist malicious JavaScript in the WordPress database.
When a victim with a privileged session (e.g., an administrator) visits a page containing the injected payload, the script executes in their browser context. This can be leveraged to:
- Hijack administrator sessions and steal authentication cookies
- Create rogue administrator accounts
- Deploy backdoors or redirect site visitors to malicious domains
- Modify site content or inject cryptomining scripts
Attack Vector
The attack is fully unauthenticated — no WordPress login is required. An attacker simply submits a crafted form payload to any page using a Brizy contact or lead-capture form. Because the XSS payload is stored server-side, every subsequent page load triggers execution for affected visitors.
Affected Versions
All versions of the Brizy – Page Builder plugin up to and including 2.8.11 are confirmed vulnerable. Brizy is a widely deployed drag-and-drop WordPress builder with hundreds of thousands of active installations.
Remediation
Immediate Actions
- Update immediately — upgrade the Brizy Page Builder plugin to the latest patched version (2.8.12 or newer) via the WordPress plugin dashboard or by downloading directly from the WordPress plugin repository.
- Audit existing content — review pages built with Brizy forms for evidence of stored malicious payloads, particularly in form submissions and file upload fields.
- Check administrator accounts — audit your WordPress user list for unauthorized accounts that may have been created through XSS-based privilege escalation.
If Immediate Update Is Not Possible
- Temporarily disable the Brizy Page Builder plugin until patching can be applied.
- Restrict access to WordPress form submission endpoints via your web server or WAF if the plugin must remain active.
- Enable a Web Application Firewall (WAF) with XSS detection rules (e.g., Cloudflare, Sucuri, or WordFence).
Detection
WordPress administrators can check for indicators of compromise by:
- Reviewing the WordPress database's
wp_optionsandwp_poststables for unexpected<script>tags in stored content. - Auditing server logs for unusual POST requests to Brizy form endpoints from unexpected IP addresses.
- Using a WordPress security scanner (e.g., Wordfence, MalCare) to scan for injected malicious code.
References
- NVD Entry: CVE-2026-5324
- WordPress Plugin Repository: Brizy – Page Builder
- OWASP: Stored Cross-Site Scripting