Skip to main content

Pagelayer EUVDEUVD-2026-36646

| CVE-2026-3297 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-13 Wordfence GHSA-m66x-pc7c-qw2m
6.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires victim to visit the injected page (UI:R); scope change applies to victim browser (S:C); contributor authentication is required (PR:L).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 13, 2026 - 08:28 vuln.today
CVE Published
Jun 13, 2026 - 07:51 nvd
MEDIUM 6.4

DescriptionNVD

The Page Builder: Pagelayer - Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in the Pagelayer Drag and Drop website builder plugin for WordPress (versions up to and including 2.0.9) allows authenticated contributors to inject persistent malicious scripts via the Anchor block component. Any site visitor - including privileged administrators - who loads an injected page will execute the attacker-supplied script in their browser, enabling session token theft, credential harvesting, or privilege escalation. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA's KEV catalog; however, the low authentication barrier (contributor-level) makes it realistically accessible on multi-author WordPress sites.

Technical ContextAI

The affected component is the Anchor block within the Pagelayer WordPress page builder plugin developed by Softaculous (CPE: cpe:2.3:a:softaculous:page_builder:_pagelayer_-_drag_and_drop_website_builder:*:*:*:*:*:*:*:*). Pagelayer provides a drag-and-drop page construction interface that allows contributors to compose pages using modular block elements. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - stored variant): user-supplied input in the Anchor block attribute is not adequately sanitized before persistence to the WordPress database and is not properly escaped when rendered to subsequent visitors. The CVSS scope change metric (S:C) is appropriate because successful script injection executes in the victim's browser context, outside the WordPress application's own security boundary, allowing the attacker to affect a security principal other than themselves.

RemediationAI

A code-level fix has been committed upstream as WordPress plugin SVN changeset 3506022, available at https://plugins.trac.wordpress.org/changeset/3506022/pagelayer; however, the exact patched release version number was not confirmed in available data - administrators should update Pagelayer to any version released after 2.0.9 via the WordPress plugin dashboard and verify the installed version exceeds 2.0.9. As an immediate compensating control, site owners should audit and remove untrusted contributor-level accounts, or restrict contributor registration, to deny potential attackers the prerequisite access level - note this may limit legitimate editorial workflows. WAF rules targeting script injection via page builder input fields (available from Wordfence and similar solutions) can provide partial coverage but may generate false positives on legitimate anchor HTML attributes and should be tested before broad deployment. If the Anchor block feature is not in active use, disabling it through plugin settings (if exposed) would eliminate the attack surface with no functional side effects for sites not using page anchors.

CVE-2020-13643 HIGH POC
8.8 May 28

An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. Rated high severity (CVSS 8.

CVE-2020-13642 HIGH POC
8.8 May 28

An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. Rated high severity (CVSS 8.

CVE-2020-28650 MEDIUM POC
5.4 Nov 16

The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard W

CVE-2024-5709 HIGH
8.8 Aug 06

The WPBakery Visual Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and inclu

CVE-2023-52193 MEDIUM
6.5 Feb 01

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Live Composer Team

CVE-2024-4361 MEDIUM
6.4 May 21

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteo

CVE-2024-1842 MEDIUM
6.4 May 02

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Heading tag attribute in a

CVE-2024-1841 MEDIUM
6.4 May 02

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title tag attribute in all v

CVE-2024-1840 MEDIUM
6.4 May 02

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Author tag attribute in all

CVE-2024-1805 MEDIUM
6.4 May 02

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button onclick attribute in all v

CVE-2024-2202 MEDIUM
6.4 Mar 23

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the legacy Image wi

CVE-2025-1459 MEDIUM
6.4 Mar 01

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Embedded Video(

Share

EUVD-2026-36646 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy