Skip to main content

Pagelayer EUVD-2026-20139

| CVE-2026-39469 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-04-08 Patchstack GHSA-pr8q-fpgr-cjrr
Information Disclosure Pagelayer
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 20:09 vuln.today
CVSS changed
Apr 14, 2026 - 16:22 NVD
4.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20139
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Softaculous PageLayer pagelayer allows Retrieve Embedded Sensitive Data.This issue affects PageLayer: from n/a through <= 2.0.8.

AnalysisAI

Softaculous PageLayer WordPress plugin through version 2.0.8 allows authenticated users to retrieve embedded sensitive data through exposure of information to an unauthorized control sphere. The vulnerability has a low CVSS score of 4.3 and an extremely low EPSS percentile of 5%, indicating minimal real-world exploitation probability despite requiring authenticated access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress user credentials
Delivery
Authenticate as low-privilege user
Exploit
Access PageLayer API or admin interface
Execution
Query unprotected data endpoints
Persist
Retrieve embedded sensitive data
Impact
Exfiltrate or exploit sensitive information
Sign in to reveal

Vulnerability AssessmentAI

Risk Assessment Multiple risk signals indicate this is a low-priority vulnerability despite the 4.3 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated WordPress user with low-privilege roles (e.g., contributor, editor without admin capabilities) logs into a site running vulnerable PageLayer and accesses page builder REST API endpoints or inspects shortcode metadata to retrieve sensitive information such as database credentials, configuration details, or other user/site data embedded in PageLayer's internal data structures. The attack requires no user interaction and leverages the low authentication complexity, though the attacker must first obtain valid WordPress credentials.
Remediation Update Softaculous PageLayer to a version newer than 2.0.8 (patch version not explicitly specified in provided data, recommend checking Patchstack advisory and Softaculous official repository for the exact patched release). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-20139 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy