CVE-2023-6738

Name of the Vulnerable Software and Affected Versions The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress versions up to, and including, 1.7.8

Description The issue is related to Stored Cross-Site Scripting via the pagelayer header code, pagelayer body open code, and pagelayer footer code meta fields due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability appears to be a reintroduction of a previously patched issue in version 1.7.7.

Recommendations For versions up to, and including, 1.7.8, consider updating to a version that includes the fix for this issue, as the vulnerability was reintroduced after being patched in version 1.7.7. As a temporary workaround, consider restricting access to the pagelayer header code, pagelayer body open code, and pagelayer footer code meta fields to minimize the risk of exploitation. Avoid using these fields until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.