Impact
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to stored cross‑site scripting through its Anchor block. Insufficient sanitization of user input and lack of output escaping allow an authenticated user with contributor‑level access or higher to inject arbitrary scripts that execute whenever a visitor loads the affected page. The injected code can steal session cookies, deface content, or perform other client‑side malicious actions.
Affected Systems
All WordPress sites using the Pagelayer plugin version 2.0.9 or earlier are affected. The flaw can only be exploited on installations where the attacker holds a contributor or higher role that permits editing pages containing the Anchor block. Sites running later versions or those that disable the plugin are not impacted.
Risk and Exploitability
The vulnerability has a CVSS score of 6.4, indicating medium severity. No EPSS score is available and the flaw is not listed in CISA’s KEV catalog, suggesting there are no known public exploits. The attack vector requires authenticated access; once privileges are obtained, the attacker can permanently inject scripts that run for every visitor to the edited page, leading to potential data theft and loss of site integrity.
OpenCVE Enrichment