Stored Cross-Site Scripting in Pagelayer WordPress Plugin
CVE-2023-6738

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Page Builder: Pagelayer – Drag And Drop Website Builder
Vendor: CVE Published:; 4 January 2024

What is CVE-2023-6738?

The Pagelayer WordPress plugin is susceptible to Stored Cross-Site Scripting vulnerabilities due to inadequate input sanitization and output escaping in the 'pagelayer_header_code', 'pagelayer_body_open_code', and 'pagelayer_footer_code' meta fields. Authenticated attackers with contributor-level permissions can exploit this flaw to inject malicious scripts that execute whenever a user accesses the compromised page. This issue seems to have resurfaced following a fix in version 1.7.7.

Affected Version(s)

Page Builder: Pagelayer – Drag and Drop website builder * <= 1.7.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/pagelayer/trun...

https://plugins.trac.wordpress.org/changeset?old_path=/pa...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 4, 2024
Vulnerability Reserved
Dec 12, 2023

Credit

Nex Team