Page Builder: Pagelayer – Drag and Drop website builder < 1.9.9 – Authenticated (Contributor+) Private Post Disclosure in pagelayer_builder_posts_shortcode | CVE 2024-13430 | Plugin Vulnerabilities

Description

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.8 via the 'pagelayer_builder_posts_shortcode' function due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private posts that they should not have access to.

Affects Plugins

Fixed in 1.9.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1de8da4c-dee7-4d59-a475-a969008aa0d4

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Nishiv

Verified

No

WPVDB ID

49bc871e-b320-455f-8025-1a014df92ac4

Timeline

Publicly Published

2025-03-11 (about 1 year ago)

Added

2025-03-11 (about 1 year ago)

Last Updated

2025-03-12 (about 1 year ago)

Other

Published

Title

Published

2022-05-18

Title

JupiterX < 2.0.7 & JupiterX Core < 2.0.7 - Subscriber+ Arbitrary Plugin Deactivation and Settings Update

Published

2016-12-06

Title

Ultimate Member < 1.3.76 - Unauthenticated Change Passwords

Published

2025-10-24

Title

Tutor LMS < 3.9.0 - Missing Authorization to Sensitive Information Exposure

Published

2021-05-26

Title

Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Update and Retrieve Wildcard Value

Published

2023-06-02

Title

Online Booking & Scheduling Calendar for WordPress by vcita < 4.4.3 - Unauthenticated Stored XSS