CVE-2026-2470 Overview
CVE-2026-2470 is an Incorrect Authorization vulnerability [CWE-863] affecting the Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress in all versions up to and including 2.0.9. The flaw resides in the pagelayer_save_content AJAX handler, which allows users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit. The unauthenticated pagelayer_contact_submit endpoint then consumes that metadata without enforcing a privileged or published-context boundary. Authenticated attackers with Contributor-level access or above can configure arbitrary contact-form mail templates that are then triggered through unauthenticated form submission.
Critical Impact
Contributor-level attackers can plant attacker-controlled email templates that the plugin later sends through unauthenticated submissions, enabling abuse of outbound email behavior.
Affected Products
- Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress
- All versions up to and including 2.0.9
- WordPress sites configured with Contributor-level (or above) user accounts
Discovery Timeline
- 2026-06-13 - CVE-2026-2470 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-2470
Vulnerability Analysis
The vulnerability arises from a broken trust boundary between two Pagelayer endpoints. The pagelayer_save_content AJAX handler trusts the standard WordPress edit_post capability check, which Contributor accounts satisfy for their own drafts and pending posts. This handler accepts and persists the pagelayer_contact_templates post metadata without restricting which keys may be written. The metadata is intended for Pagelayer Pro UI configuration of contact form mail templates, but the backend accepts it from any qualifying user.
The unauthenticated pagelayer_contact_submit endpoint later reads the stored template metadata using post and form identifiers supplied in the contacts request parameter. The endpoint does not verify that the source post is published or that the originating author held privileged capabilities. This combination allows low-privileged users to influence behavior reached through a public endpoint.
This issue may be chained with CVE-2026-2442 to expand attacker control over outbound email behavior.
Root Cause
The root cause is a missing authorization boundary between metadata write and metadata consumption. The plugin equates edit_post capability with trust to configure outbound mail templates. No published-state check or privileged-role check is enforced before honoring the stored template on the public submission path.
Attack Vector
An attacker authenticates as a Contributor or higher and creates or edits a post they own. The attacker invokes the pagelayer_save_content AJAX action to persist crafted pagelayer_contact_templates metadata on that post. The attacker then sends a request to the unauthenticated pagelayer_contact_submit endpoint with a contacts parameter referencing the attacker-controlled post and form identifiers. The endpoint processes the planted template and acts on its content during form submission.
See the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-2470
Indicators of Compromise
- Unexpected pagelayer_contact_templates entries in the wp_postmeta table tied to draft or pending posts authored by Contributor accounts
- Authenticated admin-ajax.php requests invoking the pagelayer_save_content action from non-administrative users
- Unauthenticated POST requests to admin-ajax.php with the pagelayer_contact_submit action and a contacts parameter referencing non-published post IDs
- Outbound mail from the WordPress host with recipients, subjects, or bodies not matching legitimate site forms
Detection Strategies
- Query wp_postmeta for the pagelayer_contact_templates key and review which user roles authored the parent posts
- Correlate web server logs for the two AJAX actions originating from the same session or IP within a short interval
- Inspect mail server logs for spikes in submissions tied to the Pagelayer contact submission endpoint
Monitoring Recommendations
- Alert on creation or modification of pagelayer_contact_templates post meta by non-Administrator roles
- Monitor traffic volume to the pagelayer_contact_submit endpoint and flag references to unpublished post IDs
- Track Contributor and Author account activity for unusual AJAX action invocations
How to Mitigate CVE-2026-2470
Immediate Actions Required
- Update the Pagelayer plugin to a version newer than 2.0.9 that includes the fix referenced in the WordPress Plugin Change Log
- Audit existing posts for unauthorized pagelayer_contact_templates metadata and remove suspicious entries
- Review Contributor, Author, and Editor accounts for unexpected activity and rotate credentials where warranted
Patch Information
The vendor addressed the issue in the plugin update tracked at changeset 3506022. Site operators should apply the patched version through the WordPress plugin updater and verify the installed version is greater than 2.0.9.
Workarounds
- Restrict Contributor-level account creation and disable self-registration where not required
- Temporarily disable the Pagelayer plugin on sites that cannot patch immediately
- Place a web application firewall rule blocking unauthenticated requests to admin-ajax.php with the pagelayer_contact_submit action until the plugin is updated
# Verify the installed Pagelayer plugin version using WP-CLI
wp plugin get pagelayer --field=version
# Update Pagelayer to the latest patched release
wp plugin update pagelayer
# Audit posts for the vulnerable metadata key
wp db query "SELECT post_id, meta_value FROM wp_postmeta WHERE meta_key = 'pagelayer_contact_templates';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

