PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2470 softaculous CVE debrief

CVE-2026-2470 is an Incorrect Authorization vulnerability in the Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress. The vulnerability affects all versions up to, and including, 2.0.9. The issue arises from the pagelayer_save_content AJAX handler, which allows users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit, including pending posts. The unauthenticated pagelayer_contact_submit endpoint later consumes this metadata without enforcing a privileged or published-context boundary. This allows authenticated attackers with Contributor-level access and above to configure arbitrary contact-form mail templates that can be used through unauthenticated form submission via the contacts parameter.

Vendor
softaculous
Product
Page Builder: Pagelayer – Drag and Drop website builder
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-13
Original CVE updated
2026-06-13
Advisory published
2026-06-13
Advisory updated
2026-06-13

Who should care

Users of the Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress, particularly those with Contributor-level access and above, should be aware of this vulnerability. Additionally, administrators of WordPress sites using this plugin should take steps to mitigate the vulnerability.

Technical summary

The vulnerability has a CVSS score of 4.3 and is classified as MEDIUM severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The weakness is categorized as CWE-863.

Defensive priority

The vulnerability allows for potential exploitation by authenticated attackers with Contributor-level access and above. To mitigate this, users should update the plugin to a version that addresses this vulnerability.

Recommended defensive actions

  • Update the Page Builder: Pagelayer – Drag and Drop website builder plugin to a version that addresses this vulnerability.
  • Restrict access to the pagelayer_save_content AJAX handler and the pagelayer_contact_submit endpoint.
  • Monitor for suspicious activity related to contact form submissions.

Evidence notes

The vulnerability was reported by [email protected] and can be found in the CVE record on CVE.org and the NVD detail page.

Official resources

CVE-2026-2470 was published on 2026-06-13T08:16:12.030Z and has not been modified since.