CVE-2026-3297 softaculous CVE debrief

Who should care

Users of the Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress, particularly those with contributor-level access and above, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by insufficient input sanitization and output escaping in the Anchor block of the Page Builder: Pagelayer plugin. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages.

Defensive priority

MEDIUM

Recommended defensive actions

• Update the Page Builder: Pagelayer plugin to a version that is not vulnerable (e.g., version 2.0.10 or later).
• Limit contributor-level access and above to only trusted users.
• Monitor pages for injected scripts.

Evidence notes

The CVE-2026-3297 record was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-3297). The vulnerability details were obtained from [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-3297). Additional information can be found at [ref-4](https://plugins.trac.wordpress.org/changeset/3506022/pagelayer) and [ref-5](https://www.wordfence.com/threat-intel/vulnerabilities/id/9dc23817-f5fe-420a-8204-8440935f0bd7?source=cve).

Official resources