Skip to main content
CVE Vulnerability Database

CVE-2026-3297: Pagelayer WordPress Plugin XSS Vulnerability

CVE-2026-3297 is a stored cross-site scripting flaw in the Pagelayer WordPress plugin that allows authenticated attackers to inject malicious scripts. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-3297 Overview

CVE-2026-3297 is a Stored Cross-Site Scripting (XSS) vulnerability in the Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress. The flaw affects all versions up to and including 2.0.9. It stems from insufficient input sanitization and output escaping in the plugin's Anchor block [CWE-79].

Authenticated users with contributor-level access or higher can inject arbitrary JavaScript into pages. The injected script executes in the browser of any visitor who loads the affected page, including administrators.

Critical Impact

Authenticated contributors can persist malicious JavaScript in WordPress pages, enabling session hijacking, administrative account takeover, and redirection of site visitors.

Affected Products

  • Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress
  • Versions up to and including 2.0.9
  • WordPress sites allowing contributor-level or higher access

Discovery Timeline

  • 2026-06-13 - CVE-2026-3297 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-3297

Vulnerability Analysis

The vulnerability resides in the Anchor block component of the Pagelayer page builder. The plugin fails to sanitize user-supplied input before storing it and does not escape output when rendering the Anchor block on the front end. Attacker-controlled attribute values, such as anchor identifiers, pass through to the rendered HTML without filtering.

This combination allows an authenticated attacker to embed script payloads inside an Anchor block. The payload is stored in the post or page record and executed every time the page is viewed. Because contributors can typically create draft content for editorial review, an administrator previewing or publishing the content triggers the script under their session context.

The attack scope is changed (S:C), meaning a successful payload can affect resources beyond the vulnerable component, such as the WordPress admin interface or other origins reachable from the victim's browser.

Root Cause

The root cause is missing input sanitization on write and missing output escaping on render within the Anchor block handler. WordPress provides functions such as sanitize_text_field(), esc_attr(), and esc_html() for this purpose. The vulnerable code paths do not apply these guards consistently to Anchor block attributes.

Attack Vector

Exploitation is network-based and requires contributor privileges or higher. The attacker authenticates to the WordPress instance, edits a page using Pagelayer, and inserts a crafted payload into the Anchor block. When any user, including administrators or site visitors, loads the page, the script runs in their browser. Refer to the Wordfence Vulnerability Report and the WordPress Plugin Changeset for technical details.

Detection Methods for CVE-2026-3297

Indicators of Compromise

  • New or recently modified WordPress pages containing <script> tags, on* event handlers, or javascript: URIs in Anchor block attributes.
  • Outbound browser requests from administrator sessions to unfamiliar domains shortly after viewing or previewing content.
  • Creation of new WordPress administrator accounts or unexpected changes to user roles following a contributor's page edits.
  • Pagelayer plugin installed at version 2.0.9 or earlier.

Detection Strategies

  • Audit the wp_posts table for Pagelayer Anchor block markup containing script tags, event handler attributes, or encoded JavaScript payloads.
  • Review post revision history to correlate suspicious content insertions with contributor accounts.
  • Deploy a web application firewall rule to flag stored content containing script-like payloads in Pagelayer block attributes.

Monitoring Recommendations

  • Enable WordPress audit logging to track post creation, edits, and publication events tied to contributor accounts.
  • Monitor browser console errors and Content Security Policy (CSP) violation reports for inline script execution on pages built with Pagelayer.
  • Alert on privilege escalation events, password resets, and new administrator account creation following content edits.

How to Mitigate CVE-2026-3297

Immediate Actions Required

  • Update the Pagelayer plugin to a version later than 2.0.9 as soon as the patched release is available.
  • Audit existing pages and posts for malicious payloads injected via the Anchor block and remove or sanitize affected content.
  • Review contributor and author accounts, removing inactive users and rotating credentials for any account suspected of misuse.

Patch Information

The vendor addressed the vulnerability in the Pagelayer plugin source tree. See the WordPress Plugin Changeset 3506022 for the fix commit. Site administrators should upgrade through the WordPress plugin updater or by replacing the plugin directory with the patched release.

Workarounds

  • Restrict contributor and author roles to trusted users only until the plugin is patched.
  • Disable the Pagelayer Anchor block in editorial templates if it is not required.
  • Enforce a strict Content Security Policy that blocks inline scripts and limits script sources to trusted origins.
bash
# Update Pagelayer via WP-CLI once a fixed version is published
wp plugin update pagelayer

# List users with contributor role or higher for review
wp user list --role=contributor --fields=ID,user_login,user_email,user_registered

# Search posts for suspicious script content in Anchor blocks
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%pagelayer-anchor%' AND (post_content LIKE '%<script%' OR post_content LIKE '%onerror=%' OR post_content LIKE '%javascript:%');"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.