CVE-2026-2470
Deferred Deferred - Pending Action
Incorrect Authorization in Pagelayer WordPress Plugin

Publication date: 2026-06-13

Last updated on: 2026-06-15

Assigner: Wordfence

Description
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_save_content AJAX handler allowing users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit (including pending posts), while the unauthenticated pagelayer_contact_submit endpoint later consumes that metadata by user-controlled post/form identifiers without enforcing a privileged or published-context boundary. This makes it possible for authenticated attackers, with Contributor-level access and above, to configure arbitrary contact-form mail templates that are usable through unauthenticated form submission via the contacts parameter. In typical deployments this template feature is configured via Pagelayer Pro UI; however, the vulnerable backend trust path is still present. This issue may be chained with CVE-2026-2442 to increase exploitability and attacker control over outbound email behavior.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-13
Last Modified
2026-06-15
Generated
2026-06-17
AI Q&A
2026-06-13
EPSS Evaluated
2026-06-16
NVD
CVE-2026-2470
EUVD
EUVD-2026-36647
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pagelayer pagelayer to 2.0.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Page Builder: Pagelayer plugin for WordPress, specifically in all versions up to and including 2.0.9. It is an Incorrect Authorization issue where users with basic post-edit capabilities (such as Contributor-level access) can save arbitrary contact-form mail templates via the pagelayer_save_content AJAX handler. These templates are stored as metadata on posts they can edit, including pending posts. Later, the unauthenticated pagelayer_contact_submit endpoint uses this metadata without enforcing proper privilege or published-post checks, allowing unauthenticated form submissions to use attacker-controlled mail templates.

This means that attackers with limited authenticated access can configure contact form templates that can be exploited by unauthenticated users, potentially enabling misuse of the contact form functionality.

Additionally, this vulnerability can be combined with CVE-2026-2442 to increase the attacker's control over outbound email behavior.

Impact Analysis

This vulnerability allows attackers with Contributor-level access or higher to create arbitrary contact-form mail templates that unauthenticated users can then exploit. This could lead to unauthorized use of the website's contact form to send emails using attacker-controlled templates.

The impact includes potential misuse of the website's email functionality, which could be leveraged for spam, phishing, or other malicious email campaigns originating from the vulnerable site.

Since the vulnerability does not affect confidentiality or availability directly (CVSS impact: no confidentiality or availability impact, but low integrity impact), the main risk is related to integrity and misuse of email templates.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2470. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart