CVE-2025-4223: 
WordPress vulnerability analysis and mitigation

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2025-4223) discovered in May 2025. The vulnerability affects all versions up to and including 2.0.0, stemming from insufficient input sanitization and output escaping in the 'login_url' parameter (NVD, Wiz).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 4.7 (Medium) severity. The attack vector is network-based (AV:N) with high attack complexity (AC:H), requiring no privileges (PR:N) but user interaction (UI:R). The scope is changed (S:C) with low confidentiality and integrity impact (C:L, I:L) and no availability impact (A:N) (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. However, successful exploitation requires a valid username/password pair, and any injected scripts will only execute in the context of the authenticated user (NVD).

The vulnerability has been addressed in the source code by implementing proper sanitization of the 'loginurl' parameter using the sanitizeurl() function. Users should update to a version newer than 2.0.0 to protect against this vulnerability (WordPress Plugin).