{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39469", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:41:57.169Z", "datePublished": "2026-04-08T08:30:07.826Z", "dateUpdated": "2026-04-08T08:30:07.826Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "pagelayer", "product": "PageLayer", "vendor": "Softaculous", "versions": [{"changes": [{"at": "2.0.9", "status": "unaffected"}], "lessThanOrEqual": "2.0.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:50.828Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Softaculous PageLayer pagelayer allows Retrieve Embedded Sensitive Data.<p>This issue affects PageLayer: from n/a through <= 2.0.8.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Softaculous PageLayer pagelayer allows Retrieve Embedded Sensitive Data.This issue affects PageLayer: from n/a through <= 2.0.8."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:07.826Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/pagelayer/vulnerability/wordpress-pagelayer-plugin-2-0-8-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress PageLayer plugin <= 2.0.8 - Sensitive Data Exposure vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Softaculous PageLayer pagelayer allows Retrieve Embedded Sensitive Data.This issue affects PageLayer: from n/a through <= 2.0.8."}], "id": "CVE-2026-39469", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:21.970", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/pagelayer/vulnerability/wordpress-pagelayer-plugin-2-0-8-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PageLayer", "source": "cna", "vendor": "Softaculous"}, "product": "pagelayer", "vendor": "softaculous"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:19:16.044418+00:00", "value": {"mitigation_remediation": ["Upgrade PageLayer to a version newer than 2.0.8.", "If an update is not immediately possible, deactivate or delete the PageLayer plug\u2011in from the WordPress installation.", "Verify that no embedded data files or configuration remnants remain exposed after removal or upgrade.", "Monitor web server logs for suspicious access attempts to PageLayer endpoints.", "Apply general WordPress hardening practices, including restricting file permissions and keeping core, themes, and other plug\u2011ins up to date."], "summary": {"action": "Patch Plugin", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Softaculous PageLayer plug\u2011in installed in any version up through 2.0.8 are impacted. The vulnerability applies to all releases of the plug\u2011in that belong to the Softaculous PageLayer family.", "description_and_impact": "The Softaculous PageLayer plug\u2011in contains a flaw that permits retrieval of embedded sensitive system information. When exploited, this issue leads to the exposure of data that should be protected from unauthorized users, compromising the confidentiality of the affected WordPress installation.", "risk_and_exploitability": "No CVSS score or EPSS value is publicly available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via standard HTTP requests to plug\u2011in endpoints that are not properly authenticated, allowing unauthenticated users to read sensitive data. Because the vulnerability directly exposes confidential information such as configuration data or credentials, the risk is considered significant, with the possibility of compromising user privacy and system integrity if the data includes privileged details."}}}}, "created": "2026-04-08T19:30:54.029112+00:00", "updated": "2026-04-08T19:43:22.903823+00:00", "vendors": ["softaculous", "softaculous$PRODUCT$pagelayer", "wordpress", "wordpress$PRODUCT$wordpress"]}