The Brizy – Page Builder plugin for WordPress suffers from an unauthenticated stored XSS vulnerability due to multiple flaws: the submit_form() function does not verify nonces for unauthenticated users, handleFileTypeFields() fails to sanitize file upload inputs when no file is uploaded, and html_entity_decode() reverses prior encoding before outputting unescaped data in admin views. Specifically, file upload values are output directly in href attributes without proper escaping (esc_url()), allowing injection of arbitrary scripts that execute in the administrator's browser upon viewing the form Leads page. This vulnerability affects all versions up to and including 2.8.11.

An unauthenticated attacker can inject malicious scripts that are stored and later executed in the context of an administrator's browser when viewing form entries. This can lead to partial confidentiality and integrity loss (CVSS impact: low confidentiality and integrity impact, no availability impact). The vulnerability allows cross-site scripting attacks that could be used to hijack admin sessions or perform actions with admin privileges.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should exercise caution when viewing form entries submitted via the Brizy – Page Builder plugin. Consider disabling or restricting access to the form Leads page or the plugin itself to trusted users only. Monitor official vendor channels for updates and patches addressing this vulnerability.