WordPress Plugin Vulnerabilities

Page Builder: Pagelayer < 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes

Description

The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget's Custom Attributes field in all versions up to, and including, 2.0.8. This is due to an incomplete event handler blocklist in the 'pagelayer_xss_content' XSS filtering function, which blocks common, but not all, event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
pagelayer
Fixed in 2.0.9

References

CVE
CVE-2026-2509
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/915c119d-2bae-4ea6-babb-7e8e99054cd0

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (Medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
4b9e8719-b31d-4371-99b8-dca8e565f927

Timeline

Publicly Published
2026-04-07 (about 2 months ago)
Added
2026-04-08 (about 2 months ago)
Last Updated
2026-04-08 (about 2 months ago)

Other

Published
Title
Published
2023-07-13
Title
Buy Me a Coffee < 3.7 - Subscriber+ Stored Cross-Site Scripting
Published
2020-08-31
Title
Bulk Change <= 1.0 - Authenticated Reflected Cross-Site Scripting
Published
2025-04-22
Title
wProject < 5.8.0 - Reflected Cross-Site Scripting
Published
2025-04-14
Title
Newsletter < 8.7.1 - Admin+ Stored XSS
Published
2014-08-01
Title
Nmedia MailChimp 3.1 - api_mailchimp/postToMailChimp.php abs_path Parameter XSS