Vulnerabilities and security researches forpagelayer pagelayer
Direction: ascendingJun 07, 2024
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2020-36384
- CVE, Research URL
- Date
- Jun 07, 2021
- Research Description
- PageLayer before 1.3.5 allows reflected XSS via color settings.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2020-35947
- CVE, Research URL
- Date
- Jan 01, 2021
- Research Description
- An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. Nearly all of the AJAX action endpoints lacked permission checks, allowing these actions to be executed by anyone authenticated on the site. This happened because nonces were used as a means of authorization, but a nonce was present in a publicly viewable page. The greatest impact was the pagelayer_save_content function that allowed pages to be modified and allowed XSS to occur.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2023-5087
- CVE, Research URL
- Date
- Oct 17, 2023
- Research Description
- The Page Builder: Pagelayer WordPress plugin before 1.7.8 doesn't prevent attackers with author privileges and higher from inserting malicious JavaScript inside a post's header or footer code.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2020-36383
- CVE, Research URL
- Date
- Jun 07, 2021
- Research Description
- PageLayer before 1.3.5 allows reflected XSS via the font-size parameter.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2020-35944
- CVE, Research URL
- Date
- Jan 01, 2021
- Research Description
- An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. The pagelayer_settings_page function is vulnerable to CSRF, which can lead to XSS.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2023-5124
- CVE, Research URL
- Date
- Jan 29, 2024
- Research Description
- The Page Builder: Pagelayer WordPress plugin before 1.8.0 doesn't prevent attackers with administrator privileges from inserting malicious JavaScript inside a post's header or footer code, even when unfiltered_html is disallowed, such as in multi-site WordPress configurations.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2024-1590
- CVE, Research URL
- Date
- Feb 23, 2024
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button Widget in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2023-7115
- CVE, Research URL
- Date
- Feb 27, 2024
- Research Description
- The Page Builder: Pagelayer WordPress plugin before 1.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2023-6738
- CVE, Research URL
- Date
- Jan 04, 2024
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagelayer_header_code', 'pagelayer_body_open_code', and 'pagelayer_footer_code' meta fields in all versions up to, and including, 1.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This appears to be a reintroduction of a vulnerability patched in version 1.7.7.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2024-2127
- CVE, Research URL
- Date
- Mar 08, 2024
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom attributes in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2023-4687
- CVE, Research URL
- Date
- Oct 17, 2023
- Research Description
- The Page Builder: Pagelayer WordPress plugin before 1.7.7 doesn't prevent unauthenticated attackers from updating a post's header or footer code on scheduled posts.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2024-2504
- CVE, Research URL
- Date
- Apr 10, 2024
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'attr' parameter in all versions up to, and including, 1.8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2024-30465
- CVE, Research URL
- Date
- Jun 09, 2024
- Research Description
- Missing Authorization vulnerability in Pagelayer Team PageLayer.This issue affects PageLayer: from n/a through 1.8.1.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Aug 31, 2024
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2024-43972
- CVE, Research URL
- Date
- Sep 18, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pagelayer Team PageLayer allows Stored XSS.This issue affects PageLayer: from n/a through 1.8.7.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Jan 26, 2025
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2023-49196
- CVE, Research URL
- Date
- Dec 09, 2024
- Research Description
- Missing Authorization vulnerability in Pagelayer Team PageLayer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PageLayer: from n/a through 1.7.7.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2025-24573
- CVE, Research URL
- Date
- Jan 24, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pagelayer Team PageLayer allows DOM-Based XSS. This issue affects PageLayer: from n/a through 1.9.4.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Mar 10, 2025
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2025-1926
- CVE, Research URL
- Date
- Mar 10, 2025
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.8. This is due to missing or incorrect nonce validation on the pagelayer_save_post function. This makes it possible for unauthenticated attackers to modify post contents via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable