An issue exists in the PageLayer plugin prior to 1.1.2 for WordPress. The pagelayer_settings_page function is vulnerable to CSRF, which can lead to XSS.
pagelayer pagelayer