Vulnerabilities and security researches forpagelayer pagelayer
Direction: ascendingJun 07, 2024
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2020-36384
- CVE, Research URL
- Date
- Jun 07, 2021
- Research Description
- PageLayer before 1.3.5 allows reflected XSS via color settings.
- Affected versions
-
max 1.3.5.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2020-35947
- CVE, Research URL
- Date
- Jan 01, 2021
- Research Description
- An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. Nearly all of the AJAX action endpoints lacked permission checks, allowing these actions to be executed by anyone authenticated on the site. This happened because nonces were used as a means of authorization, but a nonce was present in a publicly viewable page. The greatest impact was the pagelayer_save_content function that allowed pages to be modified and allowed XSS to occur.
- Affected versions
-
max 1.1.2.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2023-5087
- CVE, Research URL
- Date
- Oct 17, 2023
- Research Description
- The Page Builder: Pagelayer WordPress plugin before 1.7.8 doesn't prevent attackers with author privileges and higher from inserting malicious JavaScript inside a post's header or footer code.
- Affected versions
-
max 1.7.8.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2020-36383
- CVE, Research URL
- Date
- Jun 07, 2021
- Research Description
- PageLayer before 1.3.5 allows reflected XSS via the font-size parameter.
- Affected versions
-
max 1.3.5.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2020-35944
- CVE, Research URL
- Date
- Jan 01, 2021
- Research Description
- An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. The pagelayer_settings_page function is vulnerable to CSRF, which can lead to XSS.
- Affected versions
-
max 1.1.2.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2023-5124
- CVE, Research URL
- Date
- Jan 29, 2024
- Research Description
- The Page Builder: Pagelayer WordPress plugin before 1.8.0 doesn't prevent attackers with administrator privileges from inserting malicious JavaScript inside a post's header or footer code, even when unfiltered_html is disallowed, such as in multi-site WordPress configurations.
- Affected versions
-
max 1.8.0.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2024-1590
- CVE, Research URL
- Date
- Feb 23, 2024
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button Widget in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.8.3.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2023-7115
- CVE, Research URL
- Date
- Feb 27, 2024
- Research Description
- The Page Builder: Pagelayer WordPress plugin before 1.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
- Affected versions
-
max 1.8.1.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2023-6738
- CVE, Research URL
- Date
- Jan 04, 2024
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagelayer_header_code', 'pagelayer_body_open_code', and 'pagelayer_footer_code' meta fields in all versions up to, and including, 1.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This appears to be a reintroduction of a vulnerability patched in version 1.7.7.
- Affected versions
-
max 1.7.9.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2024-2127
- CVE, Research URL
- Date
- Mar 08, 2024
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom attributes in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.8.4.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2023-4687
- CVE, Research URL
- Date
- Oct 17, 2023
- Research Description
- The Page Builder: Pagelayer WordPress plugin before 1.7.7 doesn't prevent unauthenticated attackers from updating a post's header or footer code on scheduled posts.
- Affected versions
-
max 1.7.7.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2024-2504
- CVE, Research URL
- Date
- Apr 10, 2024
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'attr' parameter in all versions up to, and including, 1.8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.8.5.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2024-30465
- CVE, Research URL
- Date
- Jun 09, 2024
- Research Description
- Missing Authorization vulnerability in Pagelayer Team PageLayer.This issue affects PageLayer: from n/a through 1.8.1.
- Affected versions
-
max 1.8.2.
- Status
-
vulnerable
Aug 31, 2024
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2024-43972
- CVE, Research URL
- Date
- Sep 18, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pagelayer Team PageLayer allows Stored XSS.This issue affects PageLayer: from n/a through 1.8.7.
- Affected versions
-
max 1.8.8.
- Status
-
vulnerable
Jan 26, 2025
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2023-49196
- CVE, Research URL
- Date
- Dec 09, 2024
- Research Description
- Missing Authorization vulnerability in Pagelayer Team PageLayer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PageLayer: from n/a through 1.7.7.
- Affected versions
-
max 1.7.8.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2025-24573
- CVE, Research URL
- Date
- Jan 24, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Softaculous PageLayer pagelayer allows DOM-Based XSS.This issue affects PageLayer: from n/a through <= 1.9.4.
- Affected versions
-
max 1.9.5.
- Status
-
vulnerable
Mar 10, 2025
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2025-1926
- CVE, Research URL
- Date
- Mar 10, 2025
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.8. This is due to missing or incorrect nonce validation on the pagelayer_save_post function. This makes it possible for unauthenticated attackers to modify post contents via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 1.9.9.
- Status
-
vulnerable
Mar 12, 2025
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2024-13430
- CVE, Research URL
- Date
- Mar 12, 2025
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.8 via the 'pagelayer_builder_posts_shortcode' function due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private posts that they should not have access to.
- Affected versions
-
max 1.9.9.
- Status
-
vulnerable
Mar 14, 2025
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2025-2104
- CVE, Research URL
- Date
- Mar 13, 2025
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to unauthorized post publication due to insufficient validation on the pagelayer_save_content() function in all versions up to, and including, 1.9.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to bypass post moderation and publish posts to the site.
- Affected versions
-
max 2.0.0.
- Status
-
vulnerable
May 19, 2025
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2024-8618
- CVE, Research URL
- Date
- May 16, 2025
- Research Description
- The Page Builder: Pagelayer WordPress plugin before 1.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
- Affected versions
-
max 1.9.0.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2024-8426
- CVE, Research URL
- Date
- May 16, 2025
- Research Description
- The Page Builder: Pagelayer WordPress plugin before 1.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
- Affected versions
-
max 1.8.8.
- Status
-
vulnerable
May 25, 2025
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2024-13427
- CVE, Research URL
- Date
- May 24, 2025
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button widget in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 1.9.9 and completely fixed in version 2.0.1.
- Affected versions
-
max 2.0.1.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2025-4223
- CVE, Research URL
- Date
- May 24, 2025
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘login_url’ parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. A valid username/password pair needs to be supplied in order to be successfully exploited and any injected scripts will only execute in the context of that authenticated user.
- Affected versions
-
max 2.0.1.
- Status
-
vulnerable
Dec 11, 2025
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2025-12366
- CVE, Research URL
- Date
- Nov 13, 2025
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators.
- Affected versions
-
max 2.0.6.
- Status
-
vulnerable
Apr 13, 2026
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2026-39469
- CVE, Research URL
- Date
- Apr 08, 2026
- Research Description
- Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Softaculous PageLayer pagelayer allows Retrieve Embedded Sensitive Data.This issue affects PageLayer: from n/a through <= 2.0.8.
- Affected versions
-
max 2.0.9.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2026-2442
- CVE, Research URL
- Date
- Mar 28, 2026
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers.
- Affected versions
-
max 2.0.8.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2026-2509
- CVE, Research URL
- Date
- Apr 08, 2026
- Research Description
- The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget's Custom Attributes field in all versions up to, and including, 2.0.8. This is due to an incomplete event handler blocklist in the 'pagelayer_xss_content' XSS filtering function, which blocks common, but not all, event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.0.9.
- Status
-
vulnerable
Jun 13, 2026
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2026-3297
- CVE, Research URL
- Date
- Jun 13, 2026
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.1.0.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # CVE-2026-2470
- CVE, Research URL
- Date
- Jun 13, 2026
- Research Description
- The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_save_content AJAX handler allowing users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit (including pending posts), while the unauthenticated pagelayer_contact_submit endpoint later consumes that metadata by user-controlled post/form identifiers without enforcing a privileged or published-context boundary. This makes it possible for authenticated attackers, with Contributor-level access and above, to configure arbitrary contact-form mail templates that are usable through unauthenticated form submission via the contacts parameter. In typical deployments this template feature is configured via Pagelayer Pro UI; however, the vulnerable backend trust path is still present. This issue may be chained with CVE-2026-2442 to increase exploitability and attacker control over outbound email behavior.
- Affected versions
-
max 2.1.0.
- Status
-
vulnerable
Jun 16, 2026
Page Builder: Pagelayer – Drag and Drop website builder # 034ff0255a06b02d7a3099c8b62052121c06a6b8
- CVE, Research URL
- Date
- Sep 13, 2023
- Research Description
- Page Builder: Pagelayer – Drag and Drop website builder [pagelayer] < 1.7.7 PageLayer <= 1.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting The PageLayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ pagelayer_header_code’, 'pagelayer_body_code', and 'pagelayer_footer_code' parameters in versions up to, and including, 1.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.7.7.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # 798fe899223d5728f117e7d01b13ea4115a359b9
- CVE, Research URL
- Date
- Sep 14, 2023
- Research Description
- Page Builder: Pagelayer – Drag and Drop website builder [pagelayer] < 1.7.7 WordPress PageLayer Plugin < 1.7.7 is vulnerable to Cross Site Scripting (XSS) Update the WordPress PageLayer plugin to the latest available version (at least 1.7.7). Unknown discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress PageLayer Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.7.7.
- Affected versions
-
max 1.7.7.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # 771adaa7afbcaf41aea7191901a7d7429f6a19c0
- CVE, Research URL
- Date
- Dec 01, 2023
- Research Description
- Page Builder: Pagelayer – Drag and Drop website builder [pagelayer] < 1.7.8 PageLayer <= 1.7.7 - Cross-Site Request Forgery via pagelayer_load_plugin The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.7. This is due to missing or incorrect nonce validation on the pagelayer_load_plugin function. This makes it possible for unauthenticated attackers to disable the "getting started" promo via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 1.7.8.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # aab81ab038e323f0977365f7877f48f916dbb82c
- CVE, Research URL
- Date
- Dec 10, 2020
- Research Description
- Page Builder: Pagelayer – Drag and Drop website builder [pagelayer] < 1.3.5 WordPress PageLayer plugin <= 1.3.4 - Reflected Cross-Site Scripting (XSS) vulnerability Reflected Cross_site Scripting (XSS) vulnerability found by WordFence Threat Intelligence team in WordPress PageLayer plugin (versions <= 1.3.4).
- Affected versions
-
max 1.3.5.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # 8d500d20-4ac0-48b1-8529-3f07aadb1288
- CVE, Research URL
- Date
- -
- Research Description
- Page Builder: Pagelayer – Drag and Drop website builder [pagelayer] < 1.3.5 Pagelayer < 1.3.5 - Multiple Reflected Cross-Site Scripting (XSS) Multiple Cross-Site Scripting issues, via the font-size and color parameters of the Website Settings, were fixed in v1.3.5 of the plugin
- Affected versions
-
max 1.3.5.
- Status
-
vulnerable
Page Builder: Pagelayer – Drag and Drop website builder # 76ab9564-81e9-4923-8e2c-624abdb22394
- CVE, Research URL
- Date
- -
- Research Description
- Page Builder: Pagelayer – Drag and Drop website builder [pagelayer] < 1.7.7 PageLayer < 1.7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting The PageLayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ pagelayer_header_code’, 'pagelayer_body_code', and 'pagelayer_footer_code' parameters in versions up to, and including, 1.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.7.7.
- Status
-
vulnerable