The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever [truncated]
CVE-2026-2470 is an Incorrect Authorization vulnerability in the Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress. The vulnerability affects all versions up to, and including, 2.0.9. The issue arises from the pagelayer_save_content AJAX handler, which allows users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit, including p [truncated]
