WordPress Plugin Vulnerabilities

PageLayer < 1.8.0 - Author+ Stored XSS

Description

The plugin doesn't prevent attackers with administrator privileges from inserting malicious JavaScript inside a post's header or footer code, even when unfiltered_html is disallowed, such as in multi-site WordPress configurations.

Proof of Concept

Affects Plugins

Plugin icon
pagelayer
Fixed in 1.8.0

References

CVE
CVE-2023-5124

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Marc Montpas
Submitter
Marc Montpas
Submitter website
https://wpscan.com
Submitter twitter
marcS0H
Verified
Yes
WPVDB ID
1ef86546-3467-432c-a863-1ca3e5c65bd4

Timeline

Publicly Published
2024-01-08 (about 1 year ago)
Added
2024-01-08 (about 1 year ago)
Last Updated
2024-01-08 (about 1 year ago)

Other

Published
Title
Published
2025-04-17
Title
Download Manager < 3.3.13 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2020-08-31
Title
Chamber Dashboard Business Directory < 3.3.1 - Authenticated Stored Cross-Site Scripting
Published
2024-02-20
Title
File Manager Pro < 8.3.5 - Reflected Cross-Site Scripting
Published
2014-12-19
Title
Live Forms < 1.3.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2025-09-26
Title
HT Feed < 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting