Description
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.8. This is due to missing or incorrect nonce validation on the pagelayer_save_post function. This makes it possible for unauthenticated attackers to modify post contents via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-03-10
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Content Modification via CSRF
Action: Patch Upgrade
AI Analysis

Impact

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross‑Site Request Forgery because the pagelayer_save_post function does not perform proper nonce validation. This flaw allows an attacker who can trick a site administrator into clicking a crafted link or submitting a forged request to modify the contents of any post that the administrator can edit. The attacker does not need any credentials and can therefore inject or alter content remotely.

Affected Systems

WordPress sites that have installed the Page Builder: Pagelayer – Drag and Drop website builder plugin from Softaculous, in any version up to and including 1.9.8. The vulnerability is present in all versions in that range and would affect all installations using those plugin releases.

Risk and Exploitability

The CVSS score of 4.3 indicates a low overall severity, and the EPSS score of less than 1% suggests a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attacks would typically involve a malicious link that forces a logged‑in administrator to submit a form, so the attack vector is user interaction with a forged request. While the risk is modest, an uncompromised administrator account grants the attacker the ability to tamper with site content.

Generated by OpenCVE AI on April 21, 2026 at 22:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Pagelayer plugin to version 1.9.9 or later where the CSRF protection has been added.
  • Add or verify nonce checks around the pagelayer_save_post handler to ensure that only requests containing a valid, encrypted token are processed.
  • Limit WordPress administrator access to trusted users, enforce strong passwords and two‑factor authentication, and educate staff about not clicking unknown links from external sources.

Generated by OpenCVE AI on April 21, 2026 at 22:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7435 The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.8. This is due to missing or incorrect nonce validation on the pagelayer_save_post function. This makes it possible for unauthenticated attackers to modify post contents via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 26 May 2025 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Pagelayer
Pagelayer pagelayer
CPEs cpe:2.3:a:pagelayer:pagelayer:*:*:*:*:*:wordpress:*:*
Vendors & Products Pagelayer
Pagelayer pagelayer

Mon, 10 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 10 Mar 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.8. This is due to missing or incorrect nonce validation on the pagelayer_save_post function. This makes it possible for unauthenticated attackers to modify post contents via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Title Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.8 - Cross-Site Request Forgery (CSRF) To Post Contents Modification
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Pagelayer Pagelayer
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:15.983Z

Reserved: 2025-03-04T11:41:41.756Z

Link: CVE-2025-1926

cve-icon Vulnrichment

Updated: 2025-03-10T17:04:28.637Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-10T05:15:35.347

Modified: 2025-05-26T02:32:26.917

Link: CVE-2025-1926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:15:45Z

Weaknesses