Pagelayer Vulnerability – Authenticated(Contributor+) Stored Cross-Site Scripting via meta fields – CVE-2023-6738 | WordPress Plugin Vulnerability Report

Plugin Name: Pagelayer

Key Information:

  • Software Type: Plugin
  • Software Slug: pagelayer
  • Software Status: Active
  • Software Author: softaculous
  • Software Downloads: 5,480,305
  • Active Installs: 200,000
  • Last Updated: January 3, 2024
  • Patched Versions: 1.7.9
  • Affected Versions: <= 1.7.8

Vulnerability Details:

  • Name: PageLayer <= 1.7.8 - Authenticated(Contributor+) Stored Cross-Site Scripting via meta fields
  • Title: Authenticated(Contributor+) Stored Cross-Site Scripting via meta fields
  • Type: Improper Input Validation
  • CVE: CVE-2023-6738
  • CVSS Score: 5.4 (Medium)
  • Publicly Published: January 3, 2024
  • Researcher: Nex Team
  • Description: The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagelayer_header_code', 'pagelayer_body_open_code', and 'pagelayer_footer_code' meta fields in all versions up to, and including, 1.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This appears to be a reintroduction of a vulnerability patched in version 1.7.7.


The Pagelayer plugin for WordPress has a vulnerability in versions up to and including 1.7.8 that allows authenticated users with contributor access or higher to inject malicious JavaScript payloads that will execute when pages are viewed. This vulnerability has been patched in version 1.7.9.

Detailed Overview:

The Pagelayer plugin does not properly sanitize user input from custom meta fields named 'pagelayer_header_code', 'pagelayer_body_open_code', and 'pagelayer_footer_code'. A contributor user or higher can store malicious JavaScript payloads in these fields that will execute whenever a vulnerable page is viewed by any user. This could lead to session hijacking, site defacement, cookie theft and more depending on the payload. The vulnerability appears to have been previously patched in version 1.7.7 but was reintroduced in later versions. Version 1.7.9 properly sanitizes input from these fields to prevent exploitation.

Advice for Users:

  1. Immediate Action: Update to version 1.7.9 or higher as soon as possible.
  2. Check for Signs of Compromise: Review pages edited by lower privileged users for unexpected code in meta fields.
  3. Alternate Plugins: Consider using an alternate page builder like Elementor as a precaution.
  4. Stay Updated: Enable auto-updates on Pagelayer and all plugins to receive vulnerability patches quickly.


This vulnerability allowed authenticated attackers to compromise site integrity and should be patched immediately by updating to the latest version. Enabling auto-updates can help prevent falling victim to known vulnerabilities in the future.


Detailed Report:

Keeping your WordPress website and its plugins up-to-date is crucial for maintaining security and preventing compromise from cyber threats. Unfortunately, a popular WordPress page builder plugin called Pagelayer was recently found to have a critical vulnerability that puts over 200,000 websites at risk.

This vulnerability, tracked as CVE-2023-6738, allows authenticated users with only contributor access to inject malicious JavaScript code into Pages that will execute for all visitors. This could lead to a range of exploits from session hijacking to full site takeovers.

About Pagelayer

Pagelayer is a widely used drag and drop website builder plugin with over 5 million downloads and around 200,000 active installs. It is developed by Softaculous and allows easy creation of WordPress pages and layouts without needing to touch code.

Vulnerability Details

The vulnerability impacts Pagelayer versions 1.7.8 and below. It allows users with contributor access or above to store malicious JavaScript payloads in custom meta fields that will execute whenever a vulnerable page loads. This improper input validation and lack of output escaping enables serious exploits.

An attacker could hijack user sessions, steal cookies, deface sites, introduce backdoors, redirect visitors, or conduct phishing campaigns. The vulnerability appears to have been previously patched by the developers in version 1.7.7 but was reintroduced in later releases.

Risks and Impacts

This vulnerability is particularly dangerous because of the ubiquity of Pagelayer and the minimal permissions needed to exploit it. Attackers would have a large target base and an easy route to compromise through compromised contributor accounts or via another site vulnerability used to escalate privileges.

Successful attacks could lead to data theft, malware infections, SEO sabotage, ruined reputations and compliance violations for affected sites. Sites compromised for malicious purposes could then be used to attack site visitors or others. Proactive patching is highly recommended.

Remediating the Vulnerability

Pagelayer version 1.7.9 patches this vulnerability by properly sanitizing input from the problematic meta fields. Users should update as soon as possible. However, given the likelihood of pre-existing exploitation, sites should also be thoroughly scanned for unwanted modifications after updating.

Our experts can safely check your site and remove any malicious code introduced through this or other vectors. We recommend contacting us for an assessment even after updating. Using alternate page builder plugins can also mitigate risks until Pagelayer has proven reliable over time.

Importance of Proactive Security

This vulnerability underscores the importance of proactive security for resource constrained small business owners on WordPress. Failing to update the Pagelayer plugin or enabling auto-updates could have led to site compromise or worse through no direct fault of your own.

Staying on top of vulnerabilities across all plugins and themes is crucial but also extremely time consuming. Our managed website security services handle this heavy lifting for you by actively monitoring your site, apps and traffic for threats. We make sure updates are applied, vulnerabilities are patched, and suspicious activities investigated.

Focus on your business while leaving the security heavy lifting to the experts! Contact us today to discuss securing the online presence that is so vital for your company's success.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

Pagelayer Vulnerability – Authenticated(Contributor+) Stored Cross-Site Scripting via meta fields – CVE-2023-6738 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment