{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12366", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-27T18:41:31.071Z", "datePublished": "2025-11-13T03:27:37.361Z", "dateUpdated": "2026-04-08T16:41:35.618Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:35.618Z"}, "affected": [{"vendor": "softaculous", "product": "Page Builder: Pagelayer \u2013 Drag and Drop website builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators."}], "title": "Page Builder: Pagelayer \u2013 Drag and Drop website builder <= 2.0.5 - Authenticated (Author+) Insecure Direct Object Reference", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2216d82c-29ae-4355-8118-6ebc49726c12?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/pagelayer/tags/2.0.4/main/replace-media.php#L31"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394407%40pagelayer%2Ftrunk&old=3384061%40pagelayer%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-11-12T15:20:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-13T14:28:09.842888Z", "id": "CVE-2025-12366", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T14:34:35.676Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12366", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-13T14:28:09.842888Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T14:28:11.879Z"}}], "cna": {"title": "Page Builder: Pagelayer \u2013 Drag and Drop website builder <= 2.0.5 - Authenticated (Author+) Insecure Direct Object Reference", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "softaculous", "product": "Page Builder: Pagelayer \u2013 Drag and Drop website builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-12T15:20:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2216d82c-29ae-4355-8118-6ebc49726c12?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/pagelayer/tags/2.0.4/main/replace-media.php#L31"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394407%40pagelayer%2Ftrunk&old=3384061%40pagelayer%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:35.618Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12366", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:41:35.618Z", "dateReserved": "2025-10-27T18:41:31.071Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-13T03:27:37.361Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators."}], "id": "CVE-2025-12366", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-13T04:15:45.927", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/pagelayer/tags/2.0.4/main/replace-media.php#L31"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394407%40pagelayer%2Ftrunk&old=3384061%40pagelayer%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2216d82c-29ae-4355-8118-6ebc49726c12?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:12:44.488458+00:00", "value": {"mitigation_remediation": ["Upgrade the Pagelayer plugin to the latest available version that includes the pagelayer_replace_page ownership validation.", "Revoke Author-level or higher access for users who do not require media editing capabilities to reduce the attack surface.", "If an upgrade is not immediately possible, disable or restrict direct access to the pagelayer_replace_page endpoint by adding capability checks or removing the URL from public endpoints.", "Monitor file modification logs for unexpected media changes and investigate any anomalies promptly."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Media Replacement"}, "threat_synthesis": {"affected_systems": "Softaculous distributes the Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress. All released versions up to and including 2.0.5 are affected. The vulnerability exists in the plugin code that processes media replacement requests.", "description_and_impact": "The Pagelayer Drag and Drop website builder plugin for WordPress is exposed to an Insecure Direct Object Reference flaw that allows authenticated users with Author permissions or higher to call the pagelayer_replace_page function without proper validation. This flaw enables those users to replace media files belonging to other users, including administrators, thereby modifying site content, potentially inserting malicious media, or defacing the website. The primary impact is the integrity of uploaded files rather than confidentiality or availability.", "risk_and_exploitability": "The CVSS score of 4.3 classifies this issue as moderate severity. EPSS is reported as < 1%, indicating a very low probability of exploitation in the near term, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw requires an authenticated user with Author or higher privileges, the actual risk depends on the user base and permission model of the affected site. The attack vector is internal, leveraging legitimate user credentials to trigger the insecure function."}}}}, "created": "2025-11-13T15:50:13.770915+00:00", "updated": "2026-04-22T21:15:27.684164+00:00", "vendors": ["softaculous", "softaculous$PRODUCT$page_builder_pagelayer", "wordpress", "wordpress$PRODUCT$wordpress"]}