{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2509", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-13T23:40:04.816Z", "datePublished": "2026-04-08T13:26:00.333Z", "dateUpdated": "2026-04-08T17:09:13.112Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:13.112Z"}, "affected": [{"vendor": "softaculous", "product": "Page Builder: Pagelayer \u2013 Drag and Drop website builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget's Custom Attributes field in all versions up to, and including, 2.0.8. This is due to an incomplete event handler blocklist in the 'pagelayer_xss_content' XSS filtering function, which blocks common, but not all, event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Page Builder: Pagelayer <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/915c119d-2bae-4ea6-babb-7e8e99054cd0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/pagelayer/trunk/main/functions.php#L1293"}, {"url": "https://plugins.trac.wordpress.org/browser/pagelayer/trunk/main/shortcode_functions.php#L689"}, {"url": "https://plugins.trac.wordpress.org/changeset/3479046/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-02-13T23:55:48.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:47:17.692642Z", "id": "CVE-2026-2509", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:13:28.723Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2509", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:47:17.692642Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:47:18.716Z"}}], "cna": {"title": "Page Builder: Pagelayer <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "softaculous", "product": "Page Builder: Pagelayer \u2013 Drag and Drop website builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T23:55:48.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/915c119d-2bae-4ea6-babb-7e8e99054cd0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/pagelayer/trunk/main/functions.php#L1293"}, {"url": "https://plugins.trac.wordpress.org/browser/pagelayer/trunk/main/shortcode_functions.php#L689"}, {"url": "https://plugins.trac.wordpress.org/changeset/3479046/"}], "descriptions": [{"lang": "en", "value": "The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget's Custom Attributes field in all versions up to, and including, 2.0.8. This is due to an incomplete event handler blocklist in the 'pagelayer_xss_content' XSS filtering function, which blocks common, but not all, event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:13.112Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2509", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:09:13.112Z", "dateReserved": "2026-02-13T23:40:04.816Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T13:26:00.333Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget's Custom Attributes field in all versions up to, and including, 2.0.8. This is due to an incomplete event handler blocklist in the 'pagelayer_xss_content' XSS filtering function, which blocks common, but not all, event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-2509", "lastModified": "2026-04-24T18:05:09.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T14:16:27.693", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/pagelayer/trunk/main/functions.php#L1293"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/pagelayer/trunk/main/shortcode_functions.php#L689"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3479046/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/915c119d-2bae-4ea6-babb-7e8e99054cd0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Page Builder: Pagelayer \u2013 Drag and Drop website builder", "source": "cna", "vendor": "softaculous"}, "product": "page_builder:_pagelayer_\u2013_drag_and_drop_website_builder", "vendor": "softaculous"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T14:36:02.806873+00:00", "value": {"mitigation_remediation": ["Update Pagelayer to the latest version (>=2.0.9)", "If upgrade is impossible, remove the plugin or disable custom attributes", "Restrict Contributor-level access to trusted users only", "Scrutinize pages for injected scripts and purge them", "Apply a web application firewall rule to detect and block XSS payloads"], "summary": {"action": "Update", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Affected vendors include Softaculous, the developer of the Page Builder: Pagelayer WordPress plugin. All plugin releases up through 2.0.8 are vulnerable. The vulnerability arises only on installations where authenticated users with Contributor or higher permissions have access to edit or create pages containing the Button widget. All WordPress sites that use these plugin versions and permit such contributor roles are at risk.", "description_and_impact": "The Page Builder: Pagelayer plugin for WordPress contains a stored cross\u2011site scripting vulnerability in the Button widget's Custom Attributes field. The flaw arises from an incomplete event\u2011handler blocklist in the 'pagelayer_xss_content' filtering function, allowing developers with Contributor level or higher to inject arbitrary JavaScript. Once injected, the script executes each time a user views the affected page, potentially leaking session data, defacing content, or executing malicious actions on behalf of that user. The weakness corresponds to CWE\u201179.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4, indicating a moderate severity. EPSS data is unavailable, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog, so an active exploit is not confirmed. However, the required level of access\u2014Contributor or higher\u2014means that any trusted contributor could exploit the flaw. An attacker can embed persistent malicious code that will run for all visitors to the affected page, including non\u2011authenticated users, leading to possible session hijacking, data theft, or defacement. The risk is therefore significant for WordPress sites that use the plugin and grant contributor access."}}}}, "created": "2026-04-08T19:27:02.220050+00:00", "updated": "2026-04-08T19:39:31.710273+00:00", "vendors": ["softaculous", "softaculous$PRODUCT$page_builder:_pagelayer_\u2013_drag_and_drop_website_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}