CVE-2026-39469
Information Disclosure in Softaculous PageLayer
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| softaculous | pagelayer | to 2.0.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the PageLayer plugin allows unauthorized access to sensitive data by users with Contributor or Developer privileges. Exposure of sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Although the CVSS score is low, the sensitive data exposure classified under OWASP Top 10 category A3 indicates a risk that could facilitate further exploitation and potential data breaches, which are critical compliance concerns under these regulations.
Therefore, failure to patch this vulnerability (by updating to version 2.0.9 or later) could result in violations of standards that mandate protection of sensitive information and proper access controls.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects WordPress sites using the PageLayer plugin version 2.0.8 or earlier. Detection involves verifying the installed plugin version and checking for unauthorized access to sensitive data by users with Contributor or Developer privileges.
To detect if your system is vulnerable, first identify the PageLayer plugin version installed on your WordPress site. You can do this by running the following command in the WordPress installation directory:
- grep -i 'Version' wp-content/plugins/pagelayer/readme.txt
If the version is 2.0.8 or lower, your system is vulnerable. Additionally, monitoring access logs for unusual activity by users with Contributor or Developer roles may help detect exploitation attempts.
Since the vulnerability allows unauthorized retrieval of sensitive data, you can also check for suspicious HTTP requests that attempt to access restricted plugin data endpoints. For example, using command-line tools like curl or wget to simulate such requests might help identify exposure.
- curl -I https://yourwebsite.com/wp-content/plugins/pagelayer/sensitive-data-endpoint
Replace 'sensitive-data-endpoint' with the actual plugin endpoint suspected to expose data, if known. However, specific endpoints are not detailed in the provided information.
Ultimately, the recommended action is to update the PageLayer plugin to version 2.0.9 or later to mitigate this vulnerability.
Can you explain this vulnerability to me?
CVE-2026-39469 is a sensitive data exposure vulnerability in the WordPress PageLayer Plugin versions up to and including 2.0.8.
This vulnerability allows malicious actors with Contributor or Developer privileges to access sensitive information that is normally restricted from regular users.
It is classified under the OWASP Top 10 category A3: Sensitive Data Exposure and was fixed in version 2.0.9 of the plugin.
How can this vulnerability impact me? :
The vulnerability can allow unauthorized users with certain privileges to view sensitive system information that should be restricted.
Exposure of this sensitive data may facilitate further exploitation of other system weaknesses.
Although the severity is rated low (CVSS score 4.3), attackers could exploit this vulnerability in mass campaigns targeting many websites.
Immediate updating to version 2.0.9 or later is recommended to mitigate this risk.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the WordPress PageLayer Plugin to version 2.0.9 or later, as this version contains the patch that fixes the sensitive data exposure issue.
Users are strongly advised to apply this update promptly to prevent unauthorized users with Contributor or Developer privileges from accessing sensitive information.
Additionally, using automated update tools such as those offered by Patchstack can help provide rapid protection by ensuring vulnerable plugins are updated quickly.