Description
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators.
Published: 2025-11-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Media Replacement
Action: Apply Patch
AI Analysis

Impact

The Pagelayer Drag and Drop website builder plugin for WordPress is exposed to an Insecure Direct Object Reference flaw that allows authenticated users with Author permissions or higher to call the pagelayer_replace_page function without proper validation. This flaw enables those users to replace media files belonging to other users, including administrators, thereby modifying site content, potentially inserting malicious media, or defacing the website. The primary impact is the integrity of uploaded files rather than confidentiality or availability.

Affected Systems

Softaculous distributes the Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress. All released versions up to and including 2.0.5 are affected. The vulnerability exists in the plugin code that processes media replacement requests.

Risk and Exploitability

The CVSS score of 4.3 classifies this issue as moderate severity. EPSS is reported as < 1%, indicating a very low probability of exploitation in the near term, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw requires an authenticated user with Author or higher privileges, the actual risk depends on the user base and permission model of the affected site. The attack vector is internal, leveraging legitimate user credentials to trigger the insecure function.

Generated by OpenCVE AI on April 22, 2026 at 21:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pagelayer plugin to the latest available version that includes the pagelayer_replace_page ownership validation.
  • Revoke Author-level or higher access for users who do not require media editing capabilities to reduce the attack surface.
  • If an upgrade is not immediately possible, disable or restrict direct access to the pagelayer_replace_page endpoint by adding capability checks or removing the URL from public endpoints.
  • Monitor file modification logs for unexpected media changes and investigate any anomalies promptly.

Generated by OpenCVE AI on April 22, 2026 at 21:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 13 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Softaculous
Softaculous page Builder Pagelayer
Wordpress
Wordpress wordpress
Vendors & Products Softaculous
Softaculous page Builder Pagelayer
Wordpress
Wordpress wordpress

Thu, 13 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators.
Title Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.5 - Authenticated (Author+) Insecure Direct Object Reference
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Softaculous Page Builder Pagelayer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:35.618Z

Reserved: 2025-10-27T18:41:31.071Z

Link: CVE-2025-12366

cve-icon Vulnrichment

Updated: 2025-11-13T14:28:11.879Z

cve-icon NVD

Status : Deferred

Published: 2025-11-13T04:15:45.927

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12366

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:15:27Z

Weaknesses