Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Softaculous PageLayer pagelayer allows Retrieve Embedded Sensitive Data.This issue affects PageLayer: from n/a through <= 2.0.8.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Monitor
AI Analysis

Impact

An issue in the Softaculous PageLayer plugin up to version 2.0.8 allows an unauthenticated user to retrieve sensitive system information embedded in the plugin’s configuration. The vulnerability could expose internal data such as database credentials or API keys, potentially undermining the confidentiality of the site’s environment. It is categorized as CWE‑497. The impact is the unauthorized disclosure of confidential system data.

Affected Systems

The affected component is the Softaculous PageLayer plugin for WordPress, with all releases from the earliest available through version 2.0.8. Site owners who have installed or enabled this plugin during that time window are at risk.

Risk and Exploitability

The CVSS score of 4.3 classifies the vulnerability as moderate. The EPSS score is below 1%, indicating that exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the WordPress site’s web interface; an attacker could access exposed plugin configuration through a publicly reachable URL or by exploiting the plugin’s administration page. Incidents would primarily affect confidentiality rather than integrity or availability.

Generated by OpenCVE AI on April 14, 2026 at 18:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PageLayer plugin to a release newer than 2.0.8 when it becomes available
  • If an upgrade is not immediately possible, disable the plugin’s configuration pages and restrict access to them
  • Verify that no sensitive information is still accessible in plugin settings or logs
  • Monitor site logs for signs of unauthorized attempts to retrieve configuration data

Generated by OpenCVE AI on April 14, 2026 at 18:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Softaculous
Softaculous pagelayer
Wordpress
Wordpress wordpress
Vendors & Products Softaculous
Softaculous pagelayer
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Softaculous PageLayer pagelayer allows Retrieve Embedded Sensitive Data.This issue affects PageLayer: from n/a through <= 2.0.8.
Title WordPress PageLayer plugin <= 2.0.8 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References

Subscriptions

Softaculous Pagelayer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-14T15:13:46.091Z

Reserved: 2026-04-07T10:41:57.169Z

Link: CVE-2026-39469

cve-icon Vulnrichment

Updated: 2026-04-14T15:11:40.976Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:21.970

Modified: 2026-04-24T18:08:35.440

Link: CVE-2026-39469

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses