CVE-2025-12366 in Page Builder Plugin
Summary
by MITRE • 11/13/2025
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/16/2025
The vulnerability identified as CVE-2025-12366 affects the Pagelayer WordPress plugin, specifically targeting versions up to and including 2.0.5. This security flaw resides within the pagelayer_replace_page function which fails to properly validate user-controlled input parameters. The issue manifests as an Insecure Direct Object Reference vulnerability that allows authenticated attackers with author-level privileges or higher to manipulate media file references within the WordPress environment. The vulnerability stems from inadequate access control mechanisms that should validate whether the requesting user has legitimate authorization to modify specific media objects.
The technical implementation of this flaw occurs when the pagelayer_replace_page function processes requests without verifying that the authenticated user possesses proper authorization to access or modify the target media file. This allows attackers to manipulate object references and potentially replace media files owned by other users, including those with administrative privileges. The vulnerability specifically impacts the media management functionality within the page builder plugin, where user-controlled parameters are directly used to determine which files can be modified or replaced within the WordPress media library.
From an operational perspective, this vulnerability creates significant security risks for WordPress installations using the affected Pagelayer plugin. An attacker with author-level access can exploit this weakness to gain unauthorized access to media files belonging to other users, potentially including sensitive content owned by administrators. The impact extends beyond simple file replacement as it could enable attackers to introduce malicious media content, disrupt content management workflows, or potentially escalate privileges through manipulation of shared media resources. This vulnerability undermines the fundamental principle of least privilege and proper access controls within the WordPress ecosystem.
The vulnerability aligns with CWE-284 which specifically addresses Insecure Direct Object Reference issues where applications fail to properly validate access to objects. This weakness creates opportunities for privilege escalation and unauthorized data access within the WordPress platform. The ATT&CK framework categorizes this as a privilege escalation technique where attackers leverage insecure object references to gain access to resources beyond their intended scope. Organizations using the affected plugin should immediately implement mitigations to prevent exploitation of this vulnerability.
Mitigation strategies should include immediate patching to version 2.0.6 or later where the validation issue has been addressed. Administrators should also implement additional access controls and monitor media library modifications for unauthorized activities. Regular security audits of WordPress plugins and their access control mechanisms are essential to identify similar vulnerabilities. The vulnerability demonstrates the importance of proper input validation and access control implementation in web applications, particularly within content management systems where multiple user roles interact with shared resources. Organizations should also consider implementing network segmentation and monitoring solutions to detect anomalous file modification patterns that might indicate exploitation attempts.