Description
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-13
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to stored cross‑site scripting through its Anchor block. Insufficient sanitization of user input and lack of output escaping allow an authenticated user with contributor‑level access or higher to inject arbitrary scripts that execute whenever a visitor loads the affected page. The injected code can steal session cookies, deface content, or perform other client‑side malicious actions.

Affected Systems

All WordPress sites using the Pagelayer plugin version 2.0.9 or earlier are affected. The flaw can only be exploited on installations where the attacker holds a contributor or higher role that permits editing pages containing the Anchor block. Sites running later versions or those that disable the plugin are not impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating medium severity. No EPSS score is available and the flaw is not listed in CISA’s KEV catalog, suggesting there are no known public exploits. The attack vector requires authenticated access; once privileges are obtained, the attacker can permanently inject scripts that run for every visitor to the edited page, leading to potential data theft and loss of site integrity.

Generated by OpenCVE AI on June 13, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pagelayer to the latest release (v2.1.0 or later) which removes the vulnerable Anchor block handling
  • Revoke or restrict contributor/editor access to the Anchor block or page editing until the patch is applied
  • Configure a web application firewall or security plugin to strip <script> tags and sanitize content to mitigate potential XSS attempts

Generated by OpenCVE AI on June 13, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Softaculous
Softaculous page Builder: Pagelayer – Drag And Drop Website Builder
Wordpress
Wordpress wordpress
Vendors & Products Softaculous
Softaculous page Builder: Pagelayer – Drag And Drop Website Builder
Wordpress
Wordpress wordpress

Sat, 13 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Description The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Anchor Block
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Softaculous Page Builder: Pagelayer – Drag And Drop Website Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-15T21:44:24.474Z

Reserved: 2026-02-26T20:10:52.812Z

Link: CVE-2026-3297

cve-icon Vulnrichment

Updated: 2026-06-15T21:44:18.949Z

cve-icon NVD

Status : Deferred

Published: 2026-06-13T08:16:12.200

Modified: 2026-06-15T20:42:32.707

Link: CVE-2026-3297

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T11:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')