Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS requires victim to visit the injected page (UI:R); scope change applies to victim browser (S:C); contributor authentication is required (PR:L).
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
The Page Builder: Pagelayer - Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored cross-site scripting in the Pagelayer Drag and Drop website builder plugin for WordPress (versions up to and including 2.0.9) allows authenticated contributors to inject persistent malicious scripts via the Anchor block component. Any site visitor - including privileged administrators - who loads an injected page will execute the attacker-supplied script in their browser, enabling session token theft, credential harvesting, or privilege escalation. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA's KEV catalog; however, the low authentication barrier (contributor-level) makes it realistically accessible on multi-author WordPress sites.
Technical ContextAI
The affected component is the Anchor block within the Pagelayer WordPress page builder plugin developed by Softaculous (CPE: cpe:2.3:a:softaculous:page_builder:_pagelayer_-_drag_and_drop_website_builder:*:*:*:*:*:*:*:*). Pagelayer provides a drag-and-drop page construction interface that allows contributors to compose pages using modular block elements. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - stored variant): user-supplied input in the Anchor block attribute is not adequately sanitized before persistence to the WordPress database and is not properly escaped when rendered to subsequent visitors. The CVSS scope change metric (S:C) is appropriate because successful script injection executes in the victim's browser context, outside the WordPress application's own security boundary, allowing the attacker to affect a security principal other than themselves.
RemediationAI
A code-level fix has been committed upstream as WordPress plugin SVN changeset 3506022, available at https://plugins.trac.wordpress.org/changeset/3506022/pagelayer; however, the exact patched release version number was not confirmed in available data - administrators should update Pagelayer to any version released after 2.0.9 via the WordPress plugin dashboard and verify the installed version exceeds 2.0.9. As an immediate compensating control, site owners should audit and remove untrusted contributor-level accounts, or restrict contributor registration, to deny potential attackers the prerequisite access level - note this may limit legitimate editorial workflows. WAF rules targeting script injection via page builder input fields (available from Wordfence and similar solutions) can provide partial coverage but may generate false positives on legitimate anchor HTML attributes and should be tested before broad deployment. If the Anchor block feature is not in active use, disabling it through plugin settings (if exposed) would eliminate the attack surface with no functional side effects for sites not using page anchors.
More in Page Builder
View allAn issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. Rated high severity (CVSS 8.
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. Rated high severity (CVSS 8.
The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard W
The WPBakery Visual Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and inclu
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Live Composer Team
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteo
The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Heading tag attribute in a
The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title tag attribute in all v
The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Author tag attribute in all
The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button onclick attribute in all v
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the legacy Image wi
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Embedded Video(
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36646
GHSA-m66x-pc7c-qw2m