WordPress Plugin Vulnerabilities

Page Builder < 1.8.3 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its Button Widget options before outputting them back in a page/post where the widget is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
pagelayer
Fixed in 1.8.3

References

CVE
CVE-2024-1590
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e635dfb3-002d-4197-b14a-0136a1990a75

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
8a36a5f7-75f0-4a94-ad4e-0f89746185a7

Timeline

Publicly Published
2024-02-22 (about 2 years ago)
Added
2024-02-23 (about 2 years ago)
Last Updated
2024-02-23 (about 2 years ago)

Other

Published
Title
Published
2024-11-01
Title
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) < 5.10.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Age Gate
Published
2024-02-09
Title
Before After Image Slider WP <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Published
2025-07-04
Title
Card flip image slideshow <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-03-14
Title
HUSKY – Products Filter for WooCommerce Professional < 1.3.5.2 - Contributor+ Stored Cross-Site Scripting via Shortcode
Published
2025-03-18
Title
Snow Storm < 1.4.7 - Admin+ Stored XSS