The Page Builder: Pagelayer plugin for WordPress contains a stored cross‑site scripting vulnerability in the Button widget's Custom Attributes field. The flaw arises from an incomplete event‑handler blocklist in the 'pagelayer_xss_content' filtering function, allowing developers with Contributor level or higher to inject arbitrary JavaScript. Once injected, the script executes each time a user views the affected page, potentially leaking session data, defacing content, or executing malicious actions on behalf of that user. The weakness corresponds to CWE‑79.

Affected vendors include Softaculous, the developer of the Page Builder: Pagelayer WordPress plugin. All plugin releases up through 2.0.8 are vulnerable. The vulnerability arises only on installations where authenticated users with Contributor or higher permissions have access to edit or create pages containing the Button widget. All WordPress sites that use these plugin versions and permit such contributor roles are at risk.

The vulnerability has a CVSS score of 6.4, indicating a moderate severity. EPSS data is unavailable, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog, so an active exploit is not confirmed. However, the required level of access—Contributor or higher—means that any trusted contributor could exploit the flaw. An attacker can embed persistent malicious code that will run for all visitors to the affected page, including non‑authenticated users, leading to possible session hijacking, data theft, or defacement. The risk is therefore significant for WordPress sites that use the plugin and grant contributor access.