WordPress Plugin Vulnerabilities

Page Builder: Pagelayer – Drag and Drop website builder < 2.0.0 - Missing Authorization to Authenticated (Contributor+) Post Publication

Description

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to unauthorized post publication due to insufficient validation on the pagelayer_save_content() function in all versions up to, and including, 1.9.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to bypass post moderation and publish posts to the site.

Affects Plugins

Plugin icon
pagelayer
Fixed in 2.0.0

References

CVE
CVE-2025-2104
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2e3897fb-0f40-4111-8a7d-60415e1f9f96

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Brian Sans-Souci (liardom)
Verified
No
WPVDB ID
9c23c231-9238-4ded-89f6-2f382693086a

Timeline

Publicly Published
2025-03-12 (about 1 year ago)
Added
2025-03-12 (about 1 year ago)
Last Updated
2025-03-13 (about 1 year ago)

Other

Published
Title
Published
2022-08-25
Title
About Me <= 1.0.12 - Subscriber+ Arbitrary Network Creation/Deletion
Published
2026-03-07
Title
Elementor Website Builder < 3.35.6 - Missing Authorization
Published
2024-08-12
Title
WHMpress <= 6.2-revision-5 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2023-12-27
Title
MC4WP < 4.9.10 - Unauthenticated Unpublished Form Preview
Published
2025-07-14
Title
Alone – Charity Multipurpose Non-profit WordPress Theme < 7.8.5 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation