Description
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_save_content AJAX handler allowing users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit (including pending posts), while the unauthenticated pagelayer_contact_submit endpoint later consumes that metadata by user-controlled post/form identifiers without enforcing a privileged or published-context boundary. This makes it possible for authenticated attackers, with Contributor-level access and above, to configure arbitrary contact-form mail templates that are usable through unauthenticated form submission via the contacts parameter. In typical deployments this template feature is configured via Pagelayer Pro UI; however, the vulnerable backend trust path is still present. This issue may be chained with CVE-2026-2442 to increase exploitability and attacker control over outbound email behavior.
Published: 2026-06-13
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The pagelayer_save_content AJAX handler allows users with basic post‑edit capability to persist contact‑form templates in the post metadata. These templates are later consumed by an unauthenticated pagelayer_contact_submit endpoint that does not enforce a privileged or published‑context boundary, enabling an authenticated contributor or higher user to configure arbitrary mail relay templates. The result is the potential for spamming, phishing, or otherwise abusing the plugin’s outbound email functionality. The weakness is a classic Incorrect Authorization issue identified as CWE‑863.

Affected Systems

Softaculous Page Builder – Pagelayer plugin for WordPress, versions up to and including 2.0.9. No other versions are listed as affected.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an authenticated contributor‑level user with the ability to edit posts, including pending ones. The attacker crafts an AJAX request to persist a custom contact‑form template and then triggers the unauthenticated endpoint via the contacts parameter to send outbound mail using the configured template. The vulnerability may be chained with CVE‑2026‑2442, which could expand the attacker’s control over outbound email behavior.

Generated by OpenCVE AI on June 13, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Pagelayer plugin to a version newer than 2.0.9 where the issue is fixed.
  • Limit or remove Contributor‑level post‑edit permissions if they are not required, and especially prevent editing of pending posts.
  • Modify the pagelayer_contact_templates metadata handling to enforce a privileged or published‑context boundary, ensuring only trusted users can add or modify templates.
  • If an update is not immediately possible, employ web‑application firewall rules or access controls to block unauthenticated usage of the pagelayer_contact_submit endpoint and sanitize the contacts parameter.

Generated by OpenCVE AI on June 13, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Description The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_save_content AJAX handler allowing users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit (including pending posts), while the unauthenticated pagelayer_contact_submit endpoint later consumes that metadata by user-controlled post/form identifiers without enforcing a privileged or published-context boundary. This makes it possible for authenticated attackers, with Contributor-level access and above, to configure arbitrary contact-form mail templates that are usable through unauthenticated form submission via the contacts parameter. In typical deployments this template feature is configured via Pagelayer Pro UI; however, the vulnerable backend trust path is still present. This issue may be chained with CVE-2026-2442 to increase exploitability and attacker control over outbound email behavior.
Title Pagelayer <= 2.0.9 - Incorrect Authorization to Authenticated (Contributor+) Mail Relay Configuration via 'contacts'
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-13T07:51:22.099Z

Reserved: 2026-02-13T14:37:26.487Z

Link: CVE-2026-2470

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-13T08:16:12.030

Modified: 2026-06-13T08:16:12.030

Link: CVE-2026-2470

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T09:30:12Z

Weaknesses