Page Builder: Pagelayer – Drag and Drop website builder WordPress Plugin Security Vulnerabilities | WPScan

23

February 18, 2026

400000

Published

2025-11-12

Title

Page Builder: Pagelayer – Drag and Drop website builder < 2.0.6 - Authenticated (Author+) Insecure Direct Object Reference

Fixed in

Fixed in 2.0.6

CVSS

4.3 (medium)

Published

2025-05-23

Title

Page Builder: Pagelayer – Drag and Drop website builder < 2.0.1 - Reflected Cross-Site Scripting via login_url Parameter

Fixed in

Fixed in 2.0.1

CVSS

4.7 (medium)

Published

2025-05-23

Title

Page Builder: Pagelayer – Drag and Drop website builder < 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Link

Fixed in

Fixed in 2.0.1

CVSS

6.4 (medium)

Published

2025-03-12

Title

Page Builder: Pagelayer – Drag and Drop website builder < 2.0.0 - Missing Authorization to Authenticated (Contributor+) Post Publication

Fixed in

Fixed in 2.0.0

CVSS

4.3 (medium)

Published

2025-03-11

Title

Page Builder: Pagelayer – Drag and Drop website builder < 1.9.9 - Authenticated (Contributor+) Private Post Disclosure in pagelayer_builder_posts_shortcode

Fixed in

Fixed in 1.9.9

CVSS

4.3 (medium)

Published

2025-03-09

Title

Page Builder: Pagelayer – Drag and Drop website builder < 1.9.9 - Cross-Site Request Forgery (CSRF) To Post Contents Modification

Fixed in

Fixed in 1.9.9

CVSS

4.3 (medium)

Published

2025-01-24

Title

PageLayer < 1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

Fixed in 1.9.5

CVSS

6.4 (medium)

Published

2024-09-04

Title

Page Builder: Pagelayer < 1.9.0- Admin+ Stored XSS

Fixed in

Fixed in 1.9.0

CVSS

3.5 (low)

Published

2024-08-28

Title

PageLayer < 1.8.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

Fixed in

Fixed in 1.8.8

CVSS

4.4 (medium)

Published

2024-07-28

Title

Pagelayer < 1.8.8 - Admin+ Stored XSS

Fixed in

Fixed in 1.8.8

CVSS

3.5 (low)

Published

2024-03-28

Title

PageLayer < 1.8.2 - Missing Authorization

Fixed in

Fixed in 1.8.2

CVSS

4.3 (medium)

Published

2024-03-21

Title

Page Builder: Pagelayer – Drag and Drop website builder < 1.8.5 - Contributor+ Stored XSS

Fixed in

Fixed in 1.8.5

CVSS

6.4 (medium)

Published

2024-03-07

Title

Page Builder: Pagelayer – Drag and Drop website builder < 1.8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes

Fixed in

Fixed in 1.8.4

CVSS

6.4 (medium)

Published

2024-02-22

Title

Page Builder < 1.8.3 - Contributor+ Stored XSS

Fixed in

Fixed in 1.8.3

CVSS

5.9 (medium)

Published

2024-01-08

Title

PageLayer < 1.8.0 - Author+ Stored XSS

Fixed in

Fixed in 1.8.0

CVSS

3.4 (low)

Published

2024-01-03

Title

PageLayer < 1.7.9 - Contributor+ Stored XSS

Fixed in

Fixed in 1.7.9

CVSS

5.9 (medium)

Published

2023-12-24

Title

PageLayer < 1.8.1 - Admin+ Stored XSS

Fixed in

Fixed in 1.8.1

CVSS

3.4 (low)

Published

2023-09-25

Title

PageLayer < 1.7.8 - Author+ Stored XSS

Fixed in

Fixed in 1.7.8

CVSS

6.8 (medium)

Published

2023-09-25

Title

PageLayer < 1.7.7 - Unauthenticated Stored XSS

Fixed in

Fixed in 1.7.7

CVSS

8.8 (high)

Published

2023-09-13

Title

PageLayer < 1.7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

Fixed in 1.7.7

CVSS

6.4 (medium)

Published

2020-12-10

Title

Pagelayer < 1.3.5 - Multiple Reflected Cross-Site Scripting (XSS)

Fixed in

Fixed in 1.3.5

CVSS

6.1 (medium)

Published

2020-05-28

Title

Page Builder: PageLayer - Drag and Drop website builder < 1.1.2 - Unprotected AJAX's leading to XSS

Fixed in

Fixed in 1.1.2

CVSS

7.4 (high)

Published

2020-05-28

Title

Page Builder: PageLayer - Drag and Drop website builder < 1.1.2 - CSRF leading to XSS

Fixed in

Fixed in 1.1.2

CVSS

8.8 (high)