cleantalk
Vulnerabilities and Security Researches

Page Builder: Pagelayer – Drag and Drop website builder, CVE-2026-3297

CVE, Research URL

CVE-2026-3297

Home page URL

Security reports for Page Builder: Pagelayer – Drag and Drop website builder

Application

Page Builder: Pagelayer – Drag and Drop website builder

Published on
Jun 13, 2026
Research Description
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.1.0.
Status
vulnerable
Previous vulnerability researches
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-24573) , Jan 26, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2026-3297) , Jun 13, 2026
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2026-2470) , Jun 13, 2026
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-1926) , Mar 10, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2024-13427) , May 25, 2025
New vulnerability
Remove Duplicate Posts (CVE-2023-33999) , Jun 13, 2026
Instant Page Load (CVE-2023-33999) , Jun 13, 2026
Elementor Website Builder – More than Just a Page Builder (CVE-2025-67588) , Jun 13, 2026
Elementor Website Builder – More than Just a Page Builder (CVE-2025-11220) , Jun 13, 2026
Floating Social Share Icons and Social Share buttons – Next Previous Post Links – FL (CVE-2023-33999) , Jun 13, 2026