Page Builder: Pagelayer Vulnerability– Drag and Drop website builder – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes – CVE-2024-2127 |WordPress Plugin Vulnerability Report

Plugin Name: Page Builder: Pagelayer – Drag and Drop website builder

Key Information:

  • Software Type: Plugin
  • Software Slug: pagelayer
  • Software Status: Active
  • Software Author: softaculous
  • Software Downloads: 5,791,472
  • Active Installs: 200,000
  • Last Updated: March 12, 2024
  • Patched Versions: 1.8.4
  • Affected Versions: <= 1.8.3

Vulnerability Details:

  • Name: Page Builder: Pagelayer – Drag and Drop website builder <= 1.8.3
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2127
  • CVSS Score: 6.4
  • Publicly Published: March 7, 2024
  • Researcher: (Name not provided; presumed to be 'March 7, 2024' due to formatting error)
  • Description: The plugin is vulnerable to Stored Cross-Site Scripting (XSS) in all its versions up to 1.8.3. Insufficient input sanitization and output escaping in handling custom attributes allow authenticated users with at least contributor permissions to execute arbitrary scripts on the web pages, compromising site security and user safety.


The popular WordPress plugin, Page Builder: Pagelayer, facilitates effortless website building with its drag-and-drop functionality. However, a significant security flaw has been identified in versions up to 1.8.3, where attackers can exploit custom attributes to inject malicious scripts. This vulnerability, addressed in the latest patch, version 1.8.4, poses a considerable risk to website integrity and user data protection.

Detailed Overview:

The vulnerability, discovered by an unnamed researcher and publicized on March 7, 2024, highlights a critical oversight in the plugin's security measures concerning custom attributes. The potential for script injection by users with basic privileges exposes websites to a variety of cyber threats, including data theft, unauthorized access, and malware distribution. The swift release of a patched version by softaculous, the plugin's developer, underscores the urgency of the issue.

Advice for Users:

  • Immediate Action: Upgrade to version 1.8.4 immediately to safeguard your WordPress site against this vulnerability. Ensure all updates are applied from the WordPress dashboard under the 'Plugins' section.
  • Check for Signs of Vulnerability: Monitor your website for unexpected content changes or unusual user activity, which may indicate exploitation.
  • Alternate Plugins: While the updated version rectifies the XSS vulnerability, users might explore other page builder plugins that meet their specific needs and security requirements.
  • Stay Updated: Regularly updating all site components, including plugins, themes, and the WordPress core, is crucial for maintaining security and functionality.


The discovery of CVE-2024-2127 within the Page Builder: Pagelayer plugin serves as a critical reminder of the importance of cybersecurity vigilance in the WordPress ecosystem. For small business owners and website administrators, the proactive management of software updates is not just a technical task but a foundational element of digital stewardship. Ensuring the use of secure, up-to-date plugins is essential for protecting digital assets and preserving the trust of website users.


In the vast and ever-evolving landscape of WordPress, where plugins breathe life into websites by extending their functionality and enhancing their aesthetic appeal, the Page Builder: Pagelayer plugin stands out for its user-friendly drag-and-drop interface. It empowers even the least tech-savvy individuals to craft beautiful and functional websites. However, the recent discovery of a vulnerability within this popular plugin, designated as CVE-2024-2127, casts a spotlight on the critical need for constant vigilance in the realm of cybersecurity.

Plugin Overview:

Page Builder: Pagelayer, developed by Softaculous, is celebrated for its intuitive design capabilities, allowing users to construct websites with ease. With an impressive tally of over 5.7 million downloads and 200,000 active installations, its influence within the WordPress community is undeniable. The plugin's commitment to regular updates, as evidenced by its last update on March 12, 2024, is indicative of the developers' dedication to user safety and experience.

Vulnerability Details:

CVE-2024-2127 unveils a significant security flaw in versions up to 1.8.3 of the Pagelayer plugin. This vulnerability, stemming from insufficient input sanitization and output escaping in custom attributes, opens the door for authenticated users to inject malicious scripts via shortcodes. These scripts, once executed by unsuspecting visitors, can lead to a myriad of security breaches, from data theft to unauthorized website control.

Risks and Potential Impacts:

The stakes are high with CVE-2024-2127, as the exploitation of this vulnerability could severely compromise the integrity of WordPress sites using the affected Pagelayer versions. The potential for data breaches, unauthorized access, and the spread of malware poses a significant risk not only to site owners but also to their users, eroding trust and potentially causing irreversible damage to reputations and operations.

Remediation and Prevention:

In response to this threat, Softaculous swiftly released version 1.8.4 of the Pagelayer plugin, which addresses and patches the vulnerability. Site owners are urged to update their plugin to this latest version without delay. Furthermore, regular site audits and staying informed about the latest security updates are paramount in preempting potential exploits.

Previous Vulnerabilities:

It's worth noting that this is not the first time vulnerabilities have been identified in the Pagelayer plugin, with 11 previous instances recorded since May 28, 2020. Each occurrence serves as a learning opportunity and a reminder of the dynamic nature of cybersecurity threats.

In conclusion, the discovery of CVE-2024-2127 within the Page Builder: Pagelayer plugin underscores a fundamental truth in the digital age: the security of online platforms is an ongoing endeavor, requiring constant vigilance and proactive measures. For small business owners, for whom a website often serves as the lifeblood of their operations, understanding the importance of regular plugin updates is not just a technical necessity but a cornerstone of digital stewardship. In a world where digital threats loom large, staying ahead of vulnerabilities is not merely a best practice—it's a vital safeguard for your digital presence and the community that trusts and relies on it.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Page Builder: Pagelayer Vulnerability– Drag and Drop website builder – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes – CVE-2024-2127 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment