CVE-2025-12366 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress, developed by Softaculous. The vulnerability exists in all versions up to and including 2.0.5 within the pagelayer_replace_page function. This function fails to properly validate a user-controlled key parameter, leading to an insecure direct object reference (IDOR) condition. As a result, authenticated attackers with Author-level privileges or higher can replace media files that belong to other users, including administrators. This unauthorized modification can compromise the integrity of website content and potentially facilitate further attacks such as privilege escalation or defacement. The vulnerability does not impact confidentiality or availability directly but undermines data integrity. Exploitation requires no user interaction but does require the attacker to be authenticated with sufficient privileges, which limits the attack surface to insiders or compromised accounts. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The CVSS v3.1 score is 4.3 (medium), reflecting the moderate risk posed by this vulnerability. The issue was reserved on 2025-10-27 and published on 2025-11-13 by Wordfence. Organizations using this plugin should monitor for updates and consider immediate mitigations to prevent unauthorized media replacement.

For European organizations, this vulnerability poses a moderate risk primarily to the integrity of web content managed via WordPress sites using the vulnerable Page Builder: Pagelayer plugin. Attackers with Author-level access can replace media files belonging to other users, including administrators, potentially leading to defacement, misinformation, or embedding malicious content within trusted media assets. This can damage organizational reputation, disrupt business operations, and facilitate further attacks such as social engineering or privilege escalation. Although the vulnerability does not directly impact confidentiality or availability, the integrity compromise can have cascading effects on trust and security posture. Organizations with multiple content contributors or less stringent access controls are at higher risk. Given the widespread use of WordPress in Europe, especially among SMEs and public sector websites, the vulnerability could affect a broad range of sectors. The absence of known exploits reduces immediate risk but should not lead to complacency. Attackers with insider access or compromised Author accounts represent the primary threat vector. The impact is more pronounced in environments where media files are critical for branding, customer trust, or regulatory compliance.

1. Immediate mitigation involves restricting Author-level access to trusted personnel only and reviewing user permissions to ensure the principle of least privilege. 2. Monitor and audit media file changes and user activities on WordPress sites to detect unauthorized modifications promptly. 3. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the pagelayer_replace_page function or unusual media replacement attempts. 4. Isolate or sandbox media upload and replacement functionalities where possible to limit the scope of potential damage. 5. Regularly back up media assets and website content to enable rapid restoration in case of unauthorized changes. 6. Engage with the plugin vendor or community to obtain patches or updates as soon as they become available and apply them promptly. 7. Consider temporarily disabling or replacing the vulnerable plugin if immediate patching is not feasible. 8. Educate content authors and administrators about the risks of privilege misuse and encourage strong authentication practices to reduce the risk of account compromise. 9. Use multi-factor authentication (MFA) for all WordPress accounts with elevated privileges to mitigate the risk of credential theft exploitation.