CVE-2025-2104 in Page Builder Plugin
Summary
by MITRE • 03/13/2025
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to unauthorized post publication due to insufficient validation on the pagelayer_save_content() function in all versions up to, and including, 1.9.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to bypass post moderation and publish posts to the site.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/26/2025
The vulnerability identified as CVE-2025-2104 affects the Pagelayer WordPress plugin, specifically targeting versions up to and including 1.9.8. This security flaw resides within the pagelayer_save_content() function which fails to properly validate user input and authorization levels during the content saving process. The issue creates a critical access control bypass that allows authenticated users with Contributor-level permissions or higher to circumvent normal post moderation workflows and directly publish content to the website. This represents a significant weakness in the plugin's permission model and content management controls.
The technical flaw stems from inadequate input validation and insufficient authorization checks within the pagelayer_save_content() function. When users with Contributor-level access attempt to save content through the page builder interface, the system does not properly verify whether the user has the appropriate permissions to publish posts directly. This function appears to rely on incomplete or missing validation routines that fail to cross-check user roles against required publishing privileges. The vulnerability operates at the application level and specifically targets WordPress's content management system architecture, where the plugin's custom save functionality overrides standard WordPress publishing workflows.
The operational impact of this vulnerability is substantial as it allows malicious or compromised Contributor-level users to bypass editorial controls and directly publish content to production environments. This creates opportunities for unauthorized content injection, potential spam campaigns, or malicious modifications that could affect website integrity and user trust. The vulnerability affects all WordPress installations using the affected Pagelayer plugin versions, making it particularly dangerous in multi-user environments where contributors may have elevated privileges. Attackers could exploit this to publish inappropriate content, inject malware, or disrupt normal website operations without proper approval processes.
Security mitigations for this vulnerability should include immediate patching to version 1.9.9 or later which contains the necessary validation fixes. Administrators should also implement additional monitoring of post publishing activities and user permissions to detect unauthorized publishing attempts. The recommended approach aligns with CWE-863 principle of least privilege, ensuring that users can only perform actions they are explicitly authorized to execute. Organizations should also consider implementing role-based access controls and regular security audits of WordPress plugins to identify similar authorization bypass vulnerabilities. This issue relates to ATT&CK technique T1078.004 for valid accounts and T1548.001 for privilege escalation, highlighting the need for comprehensive access control measures beyond simple authentication.