CVE-2024-13427: 
WordPress vulnerability analysis and mitigation

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-13427) discovered in versions up to and including 2.0.0. The vulnerability was identified in the plugin's Button widget component, affecting sites using this popular WordPress page builder (NVD, Wiz).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 Base Score of 6.4 (Medium). The technical assessment shows the vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the Button widget. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), low privileges (PR:L), no user interaction (UI:N), and has a changed scope (S:C) with low confidentiality and integrity impacts (C:L, I:L) and no availability impact (A:N) (Wordfence).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized actions or data theft (NVD).

The vulnerability was partially addressed in version 1.9.9 and completely fixed in version 2.0.1. Users are strongly advised to update their Pagelayer plugin to version 2.0.1 or later to mitigate this security risk (WordPress Changeset).