CVE-2023-6738: 
WordPress vulnerability analysis and mitigation

CVE-2023-6738 affects the Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress in versions up to and including 1.7.8. The vulnerability was discovered and disclosed on January 3, 2024, and involves a Stored Cross-Site Scripting issue in the 'pagelayer_header_code', 'pagelayer_body_open_code', and 'pagelayer_footer_code' meta fields (NVD).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the meta fields. The issue has a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This appears to be a reintroduction of a vulnerability that was previously patched in version 1.7.7 (NVD).

The vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page, potentially compromising user data and website security (NVD).

Users should update to version 1.7.9 or later of the Pagelayer plugin which contains the fix for this vulnerability. The patch can be found in the WordPress plugin repository (WordPress Plugin).