CVE-2026-2442: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') in softaculous Page Builder: Pagelayer – Drag and Drop website builder
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers.
AI Analysis
Technical Summary
CVE-2026-2442 is a CWE-93 Improper Neutralization of CRLF Sequences vulnerability in the Page Builder: Pagelayer WordPress plugin. The issue arises from the contact form handler performing placeholder substitution on user-supplied input and then passing these values into email headers without sanitizing CR/LF characters. This allows unauthenticated attackers to inject arbitrary email headers, potentially abusing the email delivery mechanism of the contact form. The vulnerability affects all versions up to and including 2.0.7. No known exploits are reported in the wild, and no patch or remediation details are currently available.
Potential Impact
The vulnerability allows unauthenticated attackers to inject arbitrary email headers via the contact form's 'email' parameter, potentially enabling abuse of the email delivery system such as adding Bcc or Cc recipients. This can lead to misuse of the contact form for spam or phishing campaigns. There is no direct impact on confidentiality or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling contact forms that use placeholder substitution in mail template headers or restrict access to such forms. Monitoring vendor channels for updates is recommended.
CVE-2026-2442: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') in softaculous Page Builder: Pagelayer – Drag and Drop website builder
Description
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-2442 is a CWE-93 Improper Neutralization of CRLF Sequences vulnerability in the Page Builder: Pagelayer WordPress plugin. The issue arises from the contact form handler performing placeholder substitution on user-supplied input and then passing these values into email headers without sanitizing CR/LF characters. This allows unauthenticated attackers to inject arbitrary email headers, potentially abusing the email delivery mechanism of the contact form. The vulnerability affects all versions up to and including 2.0.7. No known exploits are reported in the wild, and no patch or remediation details are currently available.
Potential Impact
The vulnerability allows unauthenticated attackers to inject arbitrary email headers via the contact form's 'email' parameter, potentially enabling abuse of the email delivery system such as adding Bcc or Cc recipients. This can lead to misuse of the contact form for spam or phishing campaigns. There is no direct impact on confidentiality or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling contact forms that use placeholder substitution in mail template headers or restrict access to such forms. Monitoring vendor channels for updates is recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-13T01:21:59.845Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c7a4822b68dbd88ed883f8
Added to database: 3/28/2026, 9:50:58 AM
Last enriched: 4/11/2026, 12:50:52 PM
Last updated: 5/12/2026, 2:27:28 PM
Views: 127
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.