Description
The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when no file is uploaded, and the reversal of security encoding via html_entity_decode() followed by unescaped output in the admin view. The submit_form() function skips nonce verification for non-logged-in users (api.php:198). The handleFileTypeFields() function fails to overwrite user-supplied values when no file is attached. While htmlentities() is applied during storage, html_entity_decode() reverses this on display (form-entries.php:79). The form-data.php template outputs FileUpload values directly in href attributes without esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page.
Problem types
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Product status
Any version
Timeline
| 2026-04-01: | Vendor Notified |
| 2026-05-01: | Disclosed |
Credits
momopon1415
References
www.wordfence.com/...-5edd-4f11-9090-f79868864fee?source=cve
plugins.trac.wordpress.org/...7.24/admin/views/form-data.php
plugins.trac.wordpress.org/.../2.7.24/admin/form-entries.php
plugins.trac.wordpress.org/...runk/admin/views/form-data.php
plugins.trac.wordpress.org/...gs/2.7.24/editor/forms/api.php
plugins.trac.wordpress.org/...gs/2.7.24/editor/forms/api.php
plugins.trac.wordpress.org/...runk/admin/views/form-data.php
plugins.trac.wordpress.org/...&new_path=%2Fbrizy/tags/2.8.12