WordPress Pagelayer Plugin Stored XSS Vulnerability Analysis (CVE-2026-2297)

Vulnerability Overview Vulnerability Name: Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Anchor Block CVE ID: CVE-2026-2297 CVSS Score: 6.4 (Medium) Release Date: June 12, 2026 Last Updated: June 13, 2026 Researchers: Athiwat Tiprasasam (Jitada), Rithidee Asaman (Boeing777) Impact Scope Software Type: Plugin Software Name: Page Builder: Pagelayer – Drag and Drop website builder Affected Versions: <= 2.0.9 Fixed Version: 2.1.0 Remediation Remediation Action: Upgrade to version 2.1.0 or higher Vulnerability Description This vulnerability allows authenticated users (Contributor role and above) to inject arbitrary web scripts via anchor blocks, resulting in the execution of malicious code on the page. Reference Links plugins.trac.wordpress.org Additional Information Wordfence Intelligence: Provides free personal and commercial API access to the WordPress vulnerability database. Support Hours: Monday to Friday, 9am-8pm ET, 6am-5pm PT, 2pm-1am UTC/GMT, excluding weekends and holidays. Response Time: 24/7 support, 1-hour response time for Response customers. Recent Vulnerability List Page Builder: Pagelayer – Drag and Drop website builder - CVE-2026-2470: Incorrect Authorization to Authenticated (Contributor+) Mail Relay Configuration via 'contacts' - CVE-2026-2509: Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes - CVE-2026-2442: Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email' - CVE-2026-39469: Authenticated (Contributor+) Information Exposure - CVE-2025-12366: Authenticated (Author+) Insecure Direct Object Reference - CVE-2025-4223: Reflected Cross-Site Scripting via login_url Parameter - CVE-2024-13427: Stored Cross-Site Scripting via Button Link - CVE-2025-2104: Missing Authorization to Authenticated (Contributor+) Post Publication - CVE-2024-13430: Authenticated (Contributor+) Private Post Disclosure in pagebuilder_builder_posts_shortcode - CVE-2025-1926: Cross-Site Request Forgery (CSRF) To Post Contents Modification Copyright Information Copyright: © 2012-2026 Defiant Inc. All Rights Reserved License: MITRE Corporation, Common Vulnerabilities and Exposures (CVE) Contact Information Technical Support: info-support@wordfence.com Social Media Facebook: Wordfence Twitter: Wordfence LinkedIn: Wordfence Email: Wordfence Additional Links Terms of Service: Link Privacy Policy and Notice at Collection: Link Do Not Sell or Share My Personal Information: Link Subscription Subscription Form: Subscribe Product Support Products: Wordfence Free, Wordfence Premium, Wordfence Care, Wordfence Response, Wordfence CLI, Wordfence Intelligence, Wordfence Central Support: Documentation, Learning Center, Free Support, Premium Support News: Blog, In The News, Vulnerability Advisories About: About Wordfence, Affiliate Program, Employment, Contact, Security, CVE Request Form Updates Stay Updated: Subscribe to news and updates from experienced security professionals. Other Business Hours: Monday to Friday, 9am-8pm ET, 6am-5pm PT, 2pm-1am UTC/GMT, excluding weekends and holidays. Response Customers: 24/7 support, 1-hour response time. Additional Links Terms of Service: Link Privacy Policy and Notice at Collection: Link Do Not Sell or Share My Personal Information: Link Social Media Facebook: Wordfence Twitter: Wordfence LinkedIn: Wordfence Email: Wordfence Subscription Subscription Form: Subscribe Product Support Products: Wordfence Free, Wordfence Premium, Wordfence Care, Wordfence Response, Wordfence CLI, Wordfence Intelligence, Wordfence Central Support: Documentation, Learning Center, Free Support, Premium Support News: Blog, In The News, Vulnerability Advisories About: About Wordfence, Affiliate Program, Employment, Contact, Security, CVE Request Form Updates Stay Updated: Subscribe to news and updates from experienced security professionals. Other Business Hours: Monday to Friday, 9am-8pm ET, 6am-5pm PT, 2pm-1am UTC/GMT, excluding weekends and holidays. Response Customers: 24/7 support, 1-hour response time. Additional Links Terms of Service: Link Privacy Policy and Notice at Collection: Link Do Not Sell or Share My Personal Information: Link Social Media Facebook: Wordfence Twitter: Wordfence LinkedIn: Wordfence Email: Wordfence Subscription Subscription Form: Subscribe Product Support Products: Wordfence Free, Wordfence Premium, Wordfence Care, Wordfence Response, Wordfence CLI, Wordfence Intelligence, Wordfence Central Support: Documentation, Learning Center, Free Support, Premium Support News: Blog, In The News, Vulnerability Advisories About: About Wordfence, Affiliate Program, Employment, Contact, Security, CVE Request Form Updates Stay Updated: Subscribe to news and updates from experienced security professionals. Other Business Hours: Monday to Friday, 9am-8pm ET, 6am-5pm PT, 2pm-1am UTC/GMT, excluding weekends and holidays. Response Customers: 24/7 s

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Pagelayer Plugin Stored XSS Vulnerability Analysis (CVE-2026-2297)

More from this source