Primary

Context

Page Builder: Pagelayer Insecure Direct Object Reference Vulnerability Allowing Media Replacement

Vulnerability

Patched

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Page Builder: Pagelayer WordPress plugin, in all versions through 2.0.5. The issue arises in the 'pagelayer_replace_page' function, where insufficient validation on a user-controlled key allows authenticated attackers with Author-level access or higher to replace media files belonging to other users, including administrators.

Impact

Exploitation of this vulnerability allows for unauthorized replacement of media files, potentially leading to misuse of media assets or disruption of content.

Remediation

Users are advised to update the Page Builder: Pagelayer plugin to version 2.0.6 or a newer patched version.

Added: Nov 13, 2025, 4:20 AM

Updated: Nov 13, 2025, 4:20 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

6.1

remediation

7.7

relevance

1.1

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

6.1

remediation

7.7

relevance

1.1

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Page Builder: Pagelayer Insecure Direct Object Reference Vulnerability Allowing Media Replacement

Vulnerability

Impact

Remediation

Affected Products

Page Builder: Pagelayer

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating