Description
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘login_url’ parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. A valid username/password pair needs to be supplied in order to be successfully exploited and any injected scripts will only execute in the context of that authenticated user.
Published: 2025-05-24
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting that can run scripts in the context of logged‑in users
Action: Update Plugin
AI Analysis

Impact

The Pagelayer Drag and Drop website builder plugin for WordPress has a Reflected Cross‑Site Scripting flaw caused by inadequate sanitization of the ‘login_url’ parameter in all versions 2.0.0 and earlier. An attacker can embed malicious script code in that parameter, which is later echoed back to the user’s browser. When a victim clicks a crafted link or otherwise submits the malicious value, the script executes within the authenticated session. If the attacker has obtained a valid username/password pair, the injected code will run with the privileges of that user, potentially exposing sensitive data or hijacking the session.

Affected Systems

All WordPress sites that have installed Page Builder: Pagelayer – Drag and Drop website builder version 2.0.0 or earlier are affected. The vulnerability resides in the plugin’s ajax handling code and is triggered when the ‘login_url’ parameter is used during any authenticated request.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to provide a valid credential pair to trigger the injection, but an attacker can entice a victim to click a malicious link, so the risk to enterprises that maintain this plugin remains non‑negligible. The attack vector is via a reflected XSS payload delivered through the login_url parameter, exploiting unsanitized output rendering.

Generated by OpenCVE AI on April 20, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Pagelayer to the latest version that removes the vulnerable code
  • If an immediate update is infeasible, enforce input sanitization on login_url by applying WordPress’ esc_url and esc_html before outputting it
  • Implement content security policies and X-Content-Type-Options to mitigate the impact of any residual XSS vectors

Generated by OpenCVE AI on April 20, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28001 The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘login_url’ parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. A valid username/password pair needs to be supplied in order to be successfully exploited and any injected scripts will only execute in the context of that authenticated user.
History

Sat, 24 May 2025 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 24 May 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘login_url’ parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. A valid username/password pair needs to be supplied in order to be successfully exploited and any injected scripts will only execute in the context of that authenticated user.
Title Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.0 - Reflected Cross-Site Scripting via login_url Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:32.466Z

Reserved: 2025-05-02T13:27:27.597Z

Link: CVE-2025-4223

cve-icon Vulnrichment

Updated: 2025-05-24T09:57:44.783Z

cve-icon NVD

Status : Deferred

Published: 2025-05-24T05:15:21.483

Modified: 2026-06-17T09:32:48.000

Link: CVE-2025-4223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:00:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')