CVE-2020-35947
📋 TL;DR
This vulnerability in the PageLayer WordPress plugin allows authenticated users to execute AJAX actions without proper permission checks, including modifying page content and injecting cross-site scripting (XSS) payloads. It affects WordPress sites using PageLayer plugin versions before 1.1.2. The issue stems from using nonces for authorization when those nonces were publicly accessible.
💻 Affected Systems
- WordPress PageLayer plugin
📦 What is this software?
Pagelayer by Pagelayer
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify any page content, inject persistent XSS payloads affecting all visitors, deface websites, steal session cookies, and potentially escalate privileges through crafted payloads.
Likely Case
Authenticated attackers (including low-privilege users) modifying page content, injecting XSS that affects other users, and potentially compromising user accounts through session theft.
If Mitigated
With proper authentication and authorization controls, only authorized administrators could modify content, preventing unauthorized changes and XSS injection.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.2
Vendor Advisory: https://wordpress.org/plugins/pagelayer/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find PageLayer plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.1.2+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable PageLayer plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate pagelayer
Restrict user registration
allPrevent new user accounts from being created to limit attack surface
Settings → General → Membership: Uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block suspicious AJAX requests to pagelayer endpoints
- Monitor and audit user activity logs for unauthorized page modifications or suspicious AJAX calls
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for PageLayer version. If version is below 1.1.2, system is vulnerable.Check Version:
wp plugin list --name=pagelayer --field=versionVerify Fix Applied:
Verify PageLayer plugin version is 1.1.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=pagelayer_save_content or other pagelayer_* actions from non-admin users
- Unexpected page modifications in revision history
Network Indicators:
- HTTP POST requests to admin-ajax.php containing pagelayer_* parameters from unexpected IPs
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "pagelayer_" AND NOT user_role="administrator"🔗 References
- https://wpscan.com/vulnerability/10239
- https://www.wordfence.com/blog/2020/05/high-severity-vulnerabilities-in-pagelayer-plugin-affect-over-200000-wordpress-sites/
- https://wpscan.com/vulnerability/10239
- https://www.wordfence.com/blog/2020/05/high-severity-vulnerabilities-in-pagelayer-plugin-affect-over-200000-wordpress-sites/
