Flaws in WordPress PageLayer plugin can exploit over 100k+ WordPress Websites


Security flaws found in popular WordPress PageLayer plugin can exploit up to 100k+ websites

Pagelayer is a WordPress page builder plugin. It’s very easy to use and very light on the browser. Pagelayer works with any WordPress theme. Pagelayer is a real-time editor and you can create beautiful web pages and web sites in a few minutes! You don’t need any programming knowledge when using Pagelayer. Pagelayer comes with top-notch features with a great UX and simple UI.

Researches have found two major security flaws in the Pagelayer plugin that could potentially allow attackers to wipe the contents or take over WordPress sites using vulnerable plugin versions. One vulnerability could allow an authenticated user with subscriber-level and above permissions to update and modify posts.

One flaw allowed any authenticated user with subscriber-level and above permissions, the ability to update and modify posts with malicious content, amongst many other things

said the researchers

The second vulnerability found in the plugin allowed the attackers to forge a request on behalf of a site’s administrator to change the plugin settings allowing to inject malicious Javascript. Both vulnerabilities are the result of unprotected AJAX actions, nonce disclosure, and a lack of Cross-Site Request Forgery (CSRF) protection.

The researchers reported the vulnerabilities to PageLayer’s developer on April 30 and were patched with the release of version 1.1.2 on May 6. The developers warn their users to update the plugin version as soon as possible.

Well, the company is yet to release the official statement of the users that got affected by the vulnerabilities. For more updates on cybersecurity and tech news subscribe to our newsletter from here


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments