Description
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to unauthorized post publication due to insufficient validation on the pagelayer_save_content() function in all versions up to, and including, 1.9.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to bypass post moderation and publish posts to the site.
Published: 2025-03-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Post Publication
Action: Patch
AI Analysis

Impact

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress contains an authorization flaw in the pagelayer_save_content() function, preventing proper access control checks on content submissions. Consequently, authenticated users with Contributor level or higher can bypass the moderation process and publish posts directly, thereby compromising content integrity and potentially allowing malicious or inappropriate material to appear on the site. This weakness is categorized as CWE-862, indicating insufficient authorization controls.

Affected Systems

The vulnerability applies to all installations of the Pagelayer plugin for WordPress running version 1.9.8 or earlier. The plugin is distributed under the vendor Softaculous and is commonly found in WordPress environments that use the Drag and Drop website builder component.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate severity, while the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present. The flaw is not listed in the CISA KEV catalog. Attackers would need legitimate access to the WordPress admin interface with Contributor or higher capabilities; no remote code execution or privilege escalation outside the WordPress application layer is required. Once authenticated, an attacker can send a payload to the pagelayer_save_content endpoint and cause the system to publish a post, effectively altering site content without permission.

Generated by OpenCVE AI on April 22, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Page Builder: Pagelayer plugin to the latest available version (1.9.9 or later) where the authorization check has been corrected.
  • If an upgrade is infeasible, modify WordPress user roles to remove publishing permissions from Contributors and any roles below Administrator.
  • Consider disabling the pagelayer_save_content functionality or restricting access to it via role-based capabilities until a fix can be applied.
  • Conduct a review of recently published posts to identify any entries that may have been posted via this vulnerability and revert or delete them as necessary.

Generated by OpenCVE AI on April 22, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6613 The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to unauthorized post publication due to insufficient validation on the pagelayer_save_content() function in all versions up to, and including, 1.9.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to bypass post moderation and publish posts to the site.
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00034}

 epss

{'score': 0.00044}

Mon, 26 May 2025 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Pagelayer
Pagelayer pagelayer
CPEs cpe:2.3:a:pagelayer:pagelayer:*:*:*:*:*:wordpress:*:*
Vendors & Products Pagelayer
Pagelayer pagelayer

Mon, 17 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Mar 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to unauthorized post publication due to insufficient validation on the pagelayer_save_content() function in all versions up to, and including, 1.9.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to bypass post moderation and publish posts to the site.
Title Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.9 - Missing Authorization to Authenticated (Contributor+) Post Publication
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Pagelayer Pagelayer
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:21.399Z

Reserved: 2025-03-07T19:01:44.124Z

Link: CVE-2025-2104

cve-icon Vulnrichment

Updated: 2025-03-17T21:25:37.066Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-13T05:15:28.303

Modified: 2025-05-26T02:13:09.153

Link: CVE-2025-2104

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:00:05Z

Weaknesses