Platform
wordpress
Component
pagelayer
Fixed in
2.0.8
CVE-2026-2442 is a CRLF Injection vulnerability affecting the Pagelayer – Drag and Drop website builder plugin for WordPress. This vulnerability allows unauthenticated attackers to inject arbitrary email headers by manipulating form fields, potentially leading to email abuse. This affects versions up to and including 2.0.7. The vulnerability is fixed in version 2.0.8.
CVE-2026-2442 affects the Page Builder: Pagelayer plugin for WordPress, allowing unauthenticated attackers to inject arbitrary email headers. This is due to a failure to properly neutralize CRLF (Carriage Return Line Feed) sequences in the contact form handler. The plugin performs placeholder substitution on attacker-controlled form fields and then passes the resulting values into email headers without removing CR/LF characters. An attacker could exploit this vulnerability to modify the recipient, subject, or even add additional headers to the email sent through the contact form, potentially enabling spamming or email delivery manipulation. The vulnerability is rated as 5.3 severity according to CVSS, indicating a moderate risk.
An attacker could exploit this vulnerability by submitting a malicious contact form with CRLF characters in the input fields. These characters would be injected into the email headers, allowing the attacker to control the email’s behavior. For example, an attacker could change the email recipient, add false headers, or even inject malicious code into the email body. The lack of authentication required to submit the contact form makes this vulnerability particularly concerning, as anyone can exploit it.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to update the Page Builder: Pagelayer plugin to version 2.0.8 or higher. This version includes a fix that correctly neutralizes CRLF sequences in form fields before they are used in email headers. It is highly recommended that all users of the plugin apply this update as soon as possible to mitigate the risk of exploitation. Additionally, review server logs for any suspicious activity related to the contact form. If exploitation is suspected, change user account passwords and perform a comprehensive security scan of the website.
Update to version 2.0.8, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
A CRLF (Carriage Return Line Feed) sequence is a combination of two characters: a carriage return (\r) and a line feed (\n). It is used to indicate the end of a line of text in many operating systems and communication protocols.
If CRLF sequences are not neutralized correctly, they can be used to inject malicious code or manipulate the behavior of systems. In this case, they allow email header injection.
If you cannot update the plugin immediately, consider temporarily disabling the contact form or implementing additional security measures, such as input validation on the server-side.
Review server logs for suspicious activity related to the contact form. Look for emails sent to unknown recipients or with unusual subjects.
There are WordPress vulnerability scanners that can detect this vulnerability. You can also perform manual testing by submitting contact forms with CRLF characters in the input fields.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.