Plugin Name: Pagelayer
- Software Type: Plugin
- Software Slug: pagelayer
- Software Status: Active
- Software Author: softaculous
- Software Downloads: 5,480,305
- Active Installs: 200,000
- Last Updated: January 3, 2024
- Patched Versions: 1.7.9
- Affected Versions: <= 1.7.8
- Name: PageLayer <= 1.7.8 - Authenticated(Contributor+) Stored Cross-Site Scripting via meta fields
- Title: Authenticated(Contributor+) Stored Cross-Site Scripting via meta fields
- Type: Improper Input Validation
- CVE: CVE-2023-6738
- CVSS Score: 5.4 (Medium)
- Publicly Published: January 3, 2024
- Researcher: Nex Team
- Description: The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagelayer_header_code', 'pagelayer_body_open_code', and 'pagelayer_footer_code' meta fields in all versions up to, and including, 1.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This appears to be a reintroduction of a vulnerability patched in version 1.7.7.
Advice for Users:
- Immediate Action: Update to version 1.7.9 or higher as soon as possible.
- Check for Signs of Compromise: Review pages edited by lower privileged users for unexpected code in meta fields.
- Alternate Plugins: Consider using an alternate page builder like Elementor as a precaution.
- Stay Updated: Enable auto-updates on Pagelayer and all plugins to receive vulnerability patches quickly.
This vulnerability allowed authenticated attackers to compromise site integrity and should be patched immediately by updating to the latest version. Enabling auto-updates can help prevent falling victim to known vulnerabilities in the future.
Keeping your WordPress website and its plugins up-to-date is crucial for maintaining security and preventing compromise from cyber threats. Unfortunately, a popular WordPress page builder plugin called Pagelayer was recently found to have a critical vulnerability that puts over 200,000 websites at risk.
Pagelayer is a widely used drag and drop website builder plugin with over 5 million downloads and around 200,000 active installs. It is developed by Softaculous and allows easy creation of WordPress pages and layouts without needing to touch code.
An attacker could hijack user sessions, steal cookies, deface sites, introduce backdoors, redirect visitors, or conduct phishing campaigns. The vulnerability appears to have been previously patched by the developers in version 1.7.7 but was reintroduced in later releases.
Risks and Impacts
This vulnerability is particularly dangerous because of the ubiquity of Pagelayer and the minimal permissions needed to exploit it. Attackers would have a large target base and an easy route to compromise through compromised contributor accounts or via another site vulnerability used to escalate privileges.
Successful attacks could lead to data theft, malware infections, SEO sabotage, ruined reputations and compliance violations for affected sites. Sites compromised for malicious purposes could then be used to attack site visitors or others. Proactive patching is highly recommended.
Remediating the Vulnerability
Pagelayer version 1.7.9 patches this vulnerability by properly sanitizing input from the problematic meta fields. Users should update as soon as possible. However, given the likelihood of pre-existing exploitation, sites should also be thoroughly scanned for unwanted modifications after updating.
Our experts can safely check your site and remove any malicious code introduced through this or other vectors. We recommend contacting us for an assessment even after updating. Using alternate page builder plugins can also mitigate risks until Pagelayer has proven reliable over time.
Importance of Proactive Security
This vulnerability underscores the importance of proactive security for resource constrained small business owners on WordPress. Failing to update the Pagelayer plugin or enabling auto-updates could have led to site compromise or worse through no direct fault of your own.
Staying on top of vulnerabilities across all plugins and themes is crucial but also extremely time consuming. Our managed website security services handle this heavy lifting for you by actively monitoring your site, apps and traffic for threats. We make sure updates are applied, vulnerabilities are patched, and suspicious activities investigated.
Focus on your business while leaving the security heavy lifting to the experts! Contact us today to discuss securing the online presence that is so vital for your company's success.
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.