WP-Safety

Page Builder: Pagelayer – Drag and Drop website builder Security & Risk Analysis

wordpress.org/plugins/pagelayer

The most advanced frontend drag & drop page builder. Pagelayer is a light weight but extremely powerful Website Builder.

400K active installs v2.0.9 PHP 5.5+ WP 4.7+ Updated Mar 10, 2026
drag-and-dropeditorgutenberg-blockslanding-pagepage-builder
88
A · Safe
CVEs total25
Unpatched0
Last CVENov 12, 2025
Plugin page Download
Safety Verdict

Is Page Builder: Pagelayer – Drag and Drop website builder Safe to Use in 2026?

Generally Safe

Score 88/100

Page Builder: Pagelayer – Drag and Drop website builder has a strong security track record. Known vulnerabilities have been patched promptly.

25 known CVEsLast CVE: Nov 12, 2025Updated 24d ago
Risk Assessment

The PageLayer plugin v2.0.9 exhibits a mixed security posture. On the positive side, it demonstrates strong practices regarding SQL query handling, with 100% of queries utilizing prepared statements, and a significant number of capability checks (49) and nonce checks (46). The absence of bundled libraries is also a strength. However, there are notable areas of concern. The plugin presents a substantial attack surface with 44 AJAX handlers, and critically, 3 of these handlers lack authentication checks, representing a direct vulnerability.

Taint analysis reveals a concerning 13 flows with unsanitized paths, although currently none are categorized as critical or high severity. This, coupled with only 49% of outputs being properly escaped, suggests a potential for cross-site scripting (XSS) vulnerabilities if these unsanitized paths lead to unescaped output. The plugin's vulnerability history is extensive, with 25 known CVEs, including a significant number of high and medium severity issues related to authorization bypass, missing authorization, CSRF, and XSS. While there are currently no unpatched CVEs, the historical pattern indicates a recurring susceptibility to these types of vulnerabilities, suggesting a need for more robust and consistent security implementation.

In conclusion, while PageLayer v2.0.9 benefits from secure SQL practices and good use of nonces and capability checks, the presence of unprotected AJAX endpoints, a considerable number of unsanitized paths, insufficient output escaping, and a history of numerous authorization and XSS-related vulnerabilities collectively point to a moderate to high risk. Addressing the unprotected AJAX handlers and improving output sanitization should be immediate priorities. The plugin's developers should also investigate the root causes of its historical vulnerability patterns to implement more resilient security measures.

Key Concerns

  • Unprotected AJAX handlers
  • Low percentage of properly escaped outputs
  • Flows with unsanitized paths
  • Numerous historical vulnerabilities (high/medium)
Vulnerabilities
25

Page Builder: Pagelayer – Drag and Drop website builder Security Vulnerabilities

CVEs by Year

4 CVEs in 2020
2020
5 CVEs in 2023
2023
9 CVEs in 2024
2024
7 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
3
Medium
22

25 total CVEs

CVE-2025-12366medium · 4.3Authorization Bypass Through User-Controlled Key

Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.5 - Authenticated (Author+) Insecure Direct Object Reference

Nov 12, 2025 Patched in 2.0.6 (1d)
CVE-2025-4223medium · 4.7Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.0 - Reflected Cross-Site Scripting via login_url Parameter

May 23, 2025 Patched in 2.0.1 (1d)
CVE-2024-13427medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Link

May 23, 2025 Patched in 2.0.1 (1d)
CVE-2025-2104medium · 4.3Missing Authorization

Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.9 - Missing Authorization to Authenticated (Contributor+) Post Publication

Mar 12, 2025 Patched in 2.0.0 (1d)
CVE-2024-13430medium · 4.3Improper Access Control

Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.8 - Authenticated (Contributor+) Private Post Disclosure in pagelayer_builder_posts_shortcode

Mar 11, 2025 Patched in 1.9.9 (1d)
CVE-2025-1926medium · 4.3Cross-Site Request Forgery (CSRF)

Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.8 - Cross-Site Request Forgery (CSRF) To Post Contents Modification

Mar 9, 2025 Patched in 1.9.9 (1d)
CVE-2025-24573medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PageLayer <= 1.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 24, 2025 Patched in 1.9.5 (5d)
CVE-2024-8618medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Pagelayer <= 1.8.9 - Authenticated (Admin+) Stored Cross-Site Scripting

Sep 4, 2024 Patched in 1.9.0 (268d)
CVE-2024-43972medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PageLayer <= 1.8.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Aug 28, 2024 Patched in 1.8.8 (49d)
CVE-2024-8426medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Pagelayer <= 1.8.7 - Authenticated (Admin+) Stored Cross-Site Scripting

Jul 28, 2024 Patched in 1.8.8 (306d)
CVE-2024-30465medium · 4.3Missing Authorization

PageLayer <= 1.8.1 - Missing Authorization

Mar 28, 2024 Patched in 1.8.2 (7d)
CVE-2024-2504medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Pagelayer – Drag and Drop website builder <= 1.8.4 - Authenticated(Contributor+) Stored Cross-Site Scripting via custom attributes

Mar 21, 2024 Patched in 1.8.5 (72d)
CVE-2024-2127medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Pagelayer – Drag and Drop website builder <= 1.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes

Mar 7, 2024 Patched in 1.8.4 (1d)
CVE-2024-1590medium · 4.6Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Pagelayer – Drag and Drop website builder <= 1.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button

Feb 22, 2024 Patched in 1.8.3 (1d)
CVE-2023-5124medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Pagelayer <= 1.7.9 - Authenticated(Administrator+) Stored Cross-Site Scripting via Header/Footer code

Jan 31, 2024 Patched in 1.8.0 (37d)
CVE-2023-6738medium · 5.4Improper Input Validation

PageLayer <= 1.7.8 - Authenticated(Contributor+) Stored Cross-Site Scripting via meta fields

Jan 3, 2024 Patched in 1.7.9 (209d)
CVE-2023-7115medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Pagelayer <= 1.7.9 - Authenticated (Admin+) Stored Cross-Site Scripting

Dec 24, 2023 Patched in 1.8.1 (90d)
CVE-2023-49196medium · 5.3Missing Authorization

PageLayer <= 1.7.7 - Cross-Site Request Forgery via pagelayer_load_plugin

Dec 1, 2023 Patched in 1.7.8 (378d)
CVE-2023-4687high · 7.2Missing Authorization

Page Builder: Pagelayer – Drag and Drop website builder <= 1.7.6 - Missing Authorization to Stored Cross-Site Scripting

Sep 25, 2023 Patched in 1.7.7 (120d)
CVE-2023-5087medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Pagelayer <= 1.7.7 - Authenticated (Author+) Stored Cross-Site Scripting via Header/Footer

Sep 25, 2023 Patched in 1.7.8 (120d)
WF-e34b6ae5-1370-4058-95dd-5686978ca45b-pagelayermedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PageLayer <= 1.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 13, 2023 Patched in 1.7.7 (132d)
CVE-2020-36383medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Pagelayer – Drag and Drop website builder < 1.3.5 - Reflected Cross-Site Scripting via font-size

Dec 10, 2020 Patched in 1.3.5 (1139d)
CVE-2020-36384medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Pagelayer – Drag and Drop website builder < 1.3.5 - Reflected Cross-Site Scripting via Color Settings

Dec 10, 2020 Patched in 1.3.5 (1139d)
CVE-2020-35944high · 8.8Cross-Site Request Forgery (CSRF)

Page Builder: Pagelayer – Drag and Drop website builder <= 1.1.1 - Cross-Site Request Forgery to Cross-Site Scripting

May 28, 2020 Patched in 1.1.2 (1335d)
CVE-2020-35947high · 7.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Pagelayer – Drag and Drop website builder <= 1.1.1 - Missing Authorization to Cross-Site Scripting

May 28, 2020 Patched in 1.1.2 (1335d)
Code Analysis
Analyzed Mar 16, 2026

Page Builder: Pagelayer – Drag and Drop website builder Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
15 prepared
Unescaped Output
233
225 escaped
Nonce Checks
46
Capability Checks
49
File Operations
34
External Requests
3
Bundled Libraries
0

SQL Query Safety

100% prepared15 total queries

Output Escaping

49% escaped458 total outputs
Data Flows
13 unsanitized

Data Flow Analysis

25 flows13 with unsanitized paths
pagelayer_get_section_shortcodes (main\ajax.php:618)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Page Builder: Pagelayer – Drag and Drop website builder Attack Surface

Entry Points44
Unprotected3

AJAX Handlers 44

authwp_ajax_pagelayer_wp_widgetmain\ajax.php:35
authwp_ajax_pagelayer_save_contentmain\ajax.php:157
authwp_ajax_pagelayer_save_templ_contentmain\ajax.php:426
authwp_ajax_pagelayer_set_jscss_givermain\ajax.php:523
authwp_ajax_pagelayer_do_shortcodesmain\ajax.php:546
authwp_ajax_pagelayer_givejsmain\ajax.php:577
authwp_ajax_pagelayer_givecssmain\ajax.php:599
noprivwp_ajax_pagelayer_givecssmain\ajax.php:600
authwp_ajax_pagelayer_get_section_shortcodesmain\ajax.php:617
authwp_ajax_pagelayer_get_section_blocksmain\ajax.php:704
authwp_ajax_pagelayer_fetch_site_titlemain\ajax.php:779
authwp_ajax_pagelayer_update_site_titlemain\ajax.php:790
authwp_ajax_pagelayer_fetch_sidebarmain\ajax.php:810
authwp_ajax_pagelayer_fetch_primary_menumain\ajax.php:841
authwp_ajax_pagelayer_create_post_autosavemain\ajax.php:879
authwp_ajax_pagelayer_get_revisionmain\ajax.php:918
authwp_ajax_pagelayer_apply_revisionmain\ajax.php:944
authwp_ajax_pagelayer_delete_revisionmain\ajax.php:1002
authwp_ajax_pagelayer_post_navmain\ajax.php:1048
authwp_ajax_pagelayer_post_commentmain\ajax.php:1098
authwp_ajax_pagelayer_post_infomain\ajax.php:1125
authwp_ajax_pagelayer_fetch_featured_imgmain\ajax.php:1150
authwp_ajax_pagelayer_fetch_postsmain\ajax.php:1169
authwp_ajax_pagelayer_posts_datamain\ajax.php:1188
authwp_ajax_pagelayer_archive_posts_datamain\ajax.php:1209
authwp_ajax_pagelayer_contact_submitmain\ajax.php:1243
noprivwp_ajax_pagelayer_contact_submitmain\ajax.php:1244
authwp_ajax_pagelayer_login_submitmain\ajax.php:1426
noprivwp_ajax_pagelayer_login_submitmain\ajax.php:1427
authwp_ajax_pagelayer_get_pages_listmain\ajax.php:1459
authwp_ajax_pagelayer_search_idsmain\ajax.php:1493
authwp_ajax_pagelayer_save_templatemain\ajax.php:1596
authwp_ajax_pagelayer_product_categoriesmain\ajax.php:1692
authwp_ajax_pagelayer_products_ajaxmain\ajax.php:1722
authwp_ajax_pagelayer_get_taxonomy_listmain\ajax.php:1793
authwp_ajax_pagelayer_export_templatemain\ajax.php:1829
authwp_ajax_pagelayer_get_cat_checkboxesmain\ajax.php:2121
authwp_ajax_pagelayer_get_post_tagsmain\ajax.php:2165
authwp_ajax_pagelayer_custom_fontmain\ajax.php:2204
authwp_ajax_pagelayer_trash_postmain\ajax.php:2247
authwp_ajax_pagelayer_infinite_postsmain\ajax.php:2273
noprivwp_ajax_pagelayer_infinite_postsmain\ajax.php:2274
authwp_ajax_pagelayer_pro_dismiss_expired_licensesmain\ajax.php:2293
authwp_ajax_pagelayer_close_update_noticemain\ajax.php:2305
WordPress Hooks 91
actionplugins_loadedinit.php:145
actionadmin_noticesinit.php:229
filtersoftaculous_plugin_update_noticeinit.php:230
actionadmin_noticesinit.php:238
actionadmin_noticesinit.php:251
actionadmin_menuinit.php:263
actionadmin_enqueue_scriptsinit.php:362
filtersanitize_post_meta_pagelayer_header_codeinit.php:449
filtersanitize_post_meta_pagelayer_body_open_codeinit.php:450
filtersanitize_post_meta_pagelayer_footer_codeinit.php:451
filtercontent_save_preinit.php:466
actionsave_postinit.php:497
actiontemplate_redirectinit.php:566
actiontemplate_redirectinit.php:595
actionwp_headinit.php:642
actionwp_headinit.php:683
filterbody_classinit.php:684
actionadmin_print_scriptsinit.php:688
actionwp_footerinit.php:699
actiontemplate_includeinit.php:1193
actionwp_headinit.php:1205
actionedit_form_after_titleinit.php:1247
actionadmin_footerinit.php:1259
filterold_slug_redirect_urlinit.php:1321
actionadmin_action_pagelayer_clone_postinit.php:1332
filterpost_row_actionsinit.php:1391
filterpage_row_actionsinit.php:1392
filterpost_row_actionsinit.php:1400
filterpage_row_actionsinit.php:1401
filterplugin_action_links_pagelayer/pagelayer.phpinit.php:1423
actionwp_headinit.php:1437
actionwp_body_openinit.php:1458
actionwp_footerinit.php:1479
actionwp_logoutinit.php:1515
filtermedia_row_actionsinit.php:1537
actioninitinit.php:1564
filterexcerpt_lengthmain\ajax.php:1218
actionphpmailer_initmain\ajax.php:1353
actionwoocommerce_shortcode_products_querymain\ajax.php:1764
filterblock_categories_allmain\blocks.php:26
filterblock_categoriesmain\blocks.php:28
actiontemplate_redirectmain\blocks.php:46
actionenqueue_block_editor_assetsmain\blocks.php:171
actionadmin_print_scriptsmain\blocks.php:219
actioninitmain\blocks.php:303
filterthe_postmain\blocks.php:348
actionplugins_loadedmain\class.php:136
actioncustomize_preview_initmain\customizer.php:26
actioncustomize_controls_enqueue_scriptsmain\customizer.php:32
actioncustomize_controls_print_stylesmain\customizer.php:40
actioncustomize_registermain\customizer.php:120
actionpre_render_blockmain\functions.php:675
actionadmin_noticesmain\functions.php:1632
filterexcerpt_lengthmain\functions.php:1841
filterpagelayer_right_bar_promosmain\import.php:316
filterpagelayer_importing_templatesmain\import.php:530
filterpagelayer_start_insert_contentmain\import.php:1161
actionwp_headmain\live.php:40
filterthe_contentmain\live.php:46
filterpre_render_blockmain\live.php:49
filterpre_do_shortcode_tagmain\live.php:52
actionwp_footermain\live.php:94
filterhidden_meta_boxesmain\post_metas.php:96
actionadmin_headmain\template.php:329
actioninitmain\template.php:363
filterget_edit_post_linkmain\template.php:446
filterpost_row_actionsmain\template.php:461
actionparse_querymain\template.php:627
actionedit_form_after_titlemain\template.php:652
actionadmin_footermain\template.php:666
actiontemplate_redirectmain\template.php:734
filtertemplate_includemain\template.php:797
actionplugins_loadedmain\template.php:846
actionsetup_thememain\template.php:921
filtertemplate_includemain\template.php:952
actiontemplate_redirectmain\template.php:959
filteraioseo_disablemain\template.php:1018
actionget_headermain\template.php:1021
actionget_footermain\template.php:1022
actionwp_body_openmain\template.php:1031
actionwp_footermain\template.php:1032
actionwpmain\woocommerce.php:25
filterwoocommerce_enable_order_notes_fieldmain\woocommerce.php:48
filterwp_nav_menu_itemsmain\woocommerce.php:57
filterwp_page_menumain\woocommerce.php:58
actioncustomize_controls_print_scriptsmain\woocommerce.php:78
actionwp_headmain\woocommerce.php:139
actioncustomize_registermain\woocommerce.php:314
actiontemplate_redirectmain\woocommerce.php:678
filterbody_classmain\woocommerce.php:706
actionwp_footermain\woocommerce.php:730
Maintenance & Trust

Page Builder: Pagelayer – Drag and Drop website builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 10, 2026
PHP min version5.5
Downloads8.5M

Community Trust

Rating78/100
Number of ratings101
Active installs400K
Alternatives

Page Builder: Pagelayer – Drag and Drop website builder Alternatives

Elementor Website Builder – More Than Just a Page Builder

Elementor Website Builder – More Than Just a Page Builder

elementor

A
88

The Elementor Website Builder has it all: drag and drop page builder, pixel perfect design, mobile responsive editing, and more. Get started now!

10.0M 45 CVEs
Beaver Builder Page Builder – Drag and Drop Website Builder

Beaver Builder Page Builder – Drag and Drop Website Builder

beaver-builder-lite-version

A
89

The Professional's Choice for Drag & Drop WordPress Page Building. Fast, Reliable, and Trusted since 2014.

100K 31 CVEs
Colibri Page Builder

Colibri Page Builder

colibri-page-builder

A
92

Colibri Page Builder adds drag and drop page builder functionality to the ColibriWP theme.

90K 18 CVEs
TemplateSpare – 1000+ WordPress Starter Templates & Full Site Migration Tool | 1-Click Import/Export & No-Code Builder

TemplateSpare – 1000+ WordPress Starter Templates & Full Site Migration Tool | 1-Click Import/Export & No-Code Builder

templatespare

A
99

Imagine this... You’re planning your new website. You’re excited at first—but then reality hits. The design takes months. You wait for the developer t &hellip;

10K 1 CVE
SKT Page Builder

SKT Page Builder

skt-builder

A
96

SKT Page Builder has been designed and developed to assist anyone in creating pages using a drag and drop page builder interface.

2K 3 CVEs
Developer Profile

Page Builder: Pagelayer – Drag and Drop website builder Developer Profile

Softaculous

10 plugins · 4.1M total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
333 days
View full developer profile
Detection Fingerprints

How We Detect Page Builder: Pagelayer – Drag and Drop website builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/pagelayer/css/frontend.css/wp-content/plugins/pagelayer/css/frontend.responsive.css/wp-content/plugins/pagelayer/js/frontend.js/wp-content/plugins/pagelayer/js/editor.js/wp-content/plugins/pagelayer/css/editor.css/wp-content/plugins/pagelayer/css/editor.responsive.css/wp-content/plugins/pagelayer/js/assets/tinymce/skins/ui/pagelayer/editor.min.css/wp-content/plugins/pagelayer/js/assets/tinymce/skins/ui/pagelayer/content.min.css+1 more
Script Paths
/wp-content/plugins/pagelayer/js/frontend.js/wp-content/plugins/pagelayer/js/editor.js/wp-content/plugins/pagelayer/js/assets/tinymce/skins/ui/pagelayer/editor.min.css/wp-content/plugins/pagelayer/js/assets/tinymce/skins/ui/pagelayer/content.min.css/wp-content/plugins/pagelayer/js/editor.vendor.js
Version Parameters
pagelayer/css/frontend.css?ver=pagelayer/css/frontend.responsive.css?ver=pagelayer/js/frontend.js?ver=pagelayer/js/editor.js?ver=pagelayer/css/editor.css?ver=pagelayer/css/editor.responsive.css?ver=

HTML / DOM Fingerprints

CSS Classes
pagelayer-editor-wrapperpagelayer-backend-editorpagelayer-frontend-editorpagelayer-canvaspagelayer-rowpagelayer-columnpl-text-blockpl-image-block+51 more
HTML Comments
<!-- Pagelayer Editor Start --><!-- Pagelayer Editor End --><!-- Pagelayer Backend Editor --><!-- Pagelayer Frontend Editor -->+5 more
Data Attributes
data-pagelayer-element-typedata-pagelayer-module-typedata-pagelayer-editordata-pagelayer-draggabledata-pagelayer-droppabledata-pagelayer-sortable+4 more
JS Globals
window.pagelayerEditorwindow.pagelayerFrontendEditorwindow.pagelayerUtilswindow.pagelayerAdminwindow.pagelayer
REST Endpoints
/wp-json/pagelayer/v1/get_content/wp-json/pagelayer/v1/save_content
FAQ

Frequently Asked Questions about Page Builder: Pagelayer – Drag and Drop website builder