CVE-2026-2442 is a CRLF injection vulnerability classified under CWE-93, found in the Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress. The issue arises because the plugin's contact form handler performs placeholder substitution on attacker-controlled form fields and subsequently inserts these values directly into email headers without sanitizing or removing carriage return (CR) and line feed (LF) characters. This improper neutralization allows an unauthenticated attacker to inject arbitrary email headers, such as Bcc or Cc, by manipulating the 'email' parameter in the contact form. The vulnerability affects all versions up to and including 2.0.7. Exploitation requires that the targeted contact form is configured to use placeholders in mail template headers, which is a common configuration in many WordPress contact forms. The injected headers can be used to manipulate email delivery, potentially enabling spam relay, phishing, or other malicious email activities. The CVSS v3.1 base score is 5.3, reflecting medium severity due to the lack of confidentiality or availability impact and the ease of exploitation without authentication or user interaction. No patches or known exploits in the wild have been reported as of the publication date. The vulnerability highlights the importance of proper input validation and sanitization in web applications, especially when user input is incorporated into email headers.

The primary impact of this vulnerability is on the integrity of email communications sent via the vulnerable contact forms. Attackers can inject additional email headers, potentially allowing them to add Bcc or Cc recipients, which can be exploited to send spam or phishing emails from legitimate websites. This can damage the reputation of affected organizations and lead to blacklisting of their email domains. Although confidentiality and availability are not directly impacted, the abuse of email functionality can indirectly affect business operations and trust. Organizations relying on the affected plugin for customer communications may face increased risk of email-based attacks and reputational harm. Since exploitation does not require authentication or user interaction, the attack surface is broad, especially for publicly accessible contact forms. The lack of known exploits in the wild suggests limited active exploitation currently, but the vulnerability remains a significant risk until patched.

Organizations should immediately review their use of the Page Builder: Pagelayer plugin and identify any contact forms configured with placeholders in mail template headers. Until an official patch is released, administrators should consider disabling or restricting the affected contact forms to prevent exploitation. Implement input validation and sanitization routines that explicitly remove or encode CR and LF characters from user-supplied input used in email headers. Employ web application firewalls (WAFs) with rules designed to detect and block CRLF injection attempts targeting email headers. Monitor outgoing email logs for unusual header patterns or unexpected recipients that may indicate exploitation attempts. Stay informed about updates from the plugin vendor and apply patches promptly once available. Additionally, consider using alternative contact form plugins with robust security practices if immediate patching is not feasible. Regular security audits and penetration testing focusing on email injection vulnerabilities can help detect similar issues proactively.