Skip to main content

Pagelayer CVE-2026-2470

| EUVDEUVD-2026-36647 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-13 Wordfence GHSA-r293-jvq6-pfqr
4.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible AJAX endpoint requires Contributor authentication (PR:L); only limited integrity impact from template injection with no confidentiality or availability consequences.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 13, 2026 - 08:30 vuln.today
CVE Published
Jun 13, 2026 - 07:51 nvd
MEDIUM 4.3

DescriptionNVD

The Page Builder: Pagelayer - Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_save_content AJAX handler allowing users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit (including pending posts), while the unauthenticated pagelayer_contact_submit endpoint later consumes that metadata by user-controlled post/form identifiers without enforcing a privileged or published-context boundary. This makes it possible for authenticated attackers, with Contributor-level access and above, to configure arbitrary contact-form mail templates that are usable through unauthenticated form submission via the contacts parameter. In typical deployments this template feature is configured via Pagelayer Pro UI; however, the vulnerable backend trust path is still present. This issue may be chained with CVE-2026-2442 to increase exploitability and attacker control over outbound email behavior.

AnalysisAI

Incorrect authorization in the Pagelayer WordPress plugin (versions up to and including 2.0.9) allows authenticated attackers with Contributor-level access to inject arbitrary contact-form mail templates into post metadata via the pagelayer_save_content AJAX handler, which are subsequently consumed without privilege enforcement by the unauthenticated pagelayer_contact_submit endpoint through user-controlled post and form identifiers. The practical impact is attacker-defined control over outbound email templates dispatched from the affected site, exploitable by any registered Contributor without admin interaction. No public exploit has been identified at time of analysis, but the Wordfence advisory notes this vulnerability may be chained with CVE-2026-2442 to further amplify attacker control over outbound email behavior.

Technical ContextAI

The affected component is the Pagelayer - Page Builder: Drag and Drop website builder plugin for WordPress by Softaculous (CPE: cpe:2.3:a:softaculous:page_builder:_pagelayer_-_drag_and_drop_website_builder). The root cause is CWE-863 (Incorrect Authorization) - a broken trust boundary between two distinct AJAX handlers. The pagelayer_save_content handler checks only for basic WordPress post-edit capability before allowing writes to pagelayer_contact_templates post metadata, a field semantically reserved for privileged contact-form configuration. The pagelayer_contact_submit endpoint is unauthenticated and resolves template metadata dynamically from user-supplied post or form identifiers rather than enforcing that the referenced template was set by a privileged user or that the post is in a published state. This decoupled read/write model creates the authorization gap: write-path privilege check (Contributor) is weaker than the read-path trust assumption (admin-configured or published context). Notably, the vulnerability exists in the plugin backend independently of whether Pagelayer Pro UI is installed or used to configure the contact-form feature.

RemediationAI

Update the Pagelayer plugin to a version beyond 2.0.9 via the WordPress dashboard (Plugins > Updates) or WP-CLI (wp plugin update pagelayer). The upstream fix is captured in WordPress plugin repository changeset 3506022 (https://plugins.trac.wordpress.org/changeset/3506022/pagelayer); however, a specific tagged release version was not independently confirmed from the provided references - verify the installed version post-update against the WordPress plugin directory. If immediate patching is not feasible, the most targeted compensating control is to audit and restrict the Contributor role: either remove the ability to create or edit posts from untrusted contributor accounts, or temporarily suspend open user registration to prevent self-enrollment at Contributor level. Note that role restriction will impact legitimate editorial workflows on multi-author sites and should be treated as a temporary measure only. Sites also affected by CVE-2026-2442 should ensure that vulnerability is addressed in the same maintenance window given the documented chaining potential.

CVE-2020-13643 HIGH POC
8.8 May 28

An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. Rated high severity (CVSS 8.

CVE-2020-13642 HIGH POC
8.8 May 28

An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. Rated high severity (CVSS 8.

CVE-2020-28650 MEDIUM POC
5.4 Nov 16

The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard W

CVE-2024-5709 HIGH
8.8 Aug 06

The WPBakery Visual Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and inclu

CVE-2023-52193 MEDIUM
6.5 Feb 01

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Live Composer Team

CVE-2024-4361 MEDIUM
6.4 May 21

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteo

CVE-2024-1842 MEDIUM
6.4 May 02

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Heading tag attribute in a

CVE-2024-1841 MEDIUM
6.4 May 02

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title tag attribute in all v

CVE-2024-1840 MEDIUM
6.4 May 02

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Author tag attribute in all

CVE-2024-1805 MEDIUM
6.4 May 02

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button onclick attribute in all v

CVE-2024-2202 MEDIUM
6.4 Mar 23

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the legacy Image wi

CVE-2025-1459 MEDIUM
6.4 Mar 01

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Embedded Video(

Share

CVE-2026-2470 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy