Security Alert Summary
The Page Builder: Pagelayer plugin for WordPress contains a CRLF injection vulnerability in its contact form handler. An attacker can supply CR/LF characters in form fields that are substituted into mail header templates, potentially allowing injection of additional email headers (for example Bcc or Cc) via the email parameter on vulnerable contact forms.
CVE Details
- CVE ID: CVE-2026-2442
- Affected component: Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress
- Affected versions: All versions up to, and including, 2.0.7
- Published: March 28, 2026 at 10:16:30 AM
- Last modified: March 28, 2026 at 10:16:30 AM
- CVSS v3.1: Base Score 5.3, MEDIUM —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - Authentication required: No
- Privileges required: None
- User interaction: None
- Primary impact: Confidentiality: None; Integrity: Low; Availability: None
- Weakness: CWE-93 (Improper Neutralization of CRLF Sequences)
Technical Details
This vulnerability is an instance of CRLF injection in the plugin’s contact form handler. The handler performs placeholder substitution on attacker-controlled form fields and then inserts the resulting values directly into email headers without removing CR or LF characters. Because CR and LF characters are not neutralized, an attacker who can submit values to a contact form that uses placeholders in mail template headers can inject additional email headers such as Bcc or Cc. The description specifically identifies the email parameter as an input that can be abused when the contact form is configured to use placeholders in header templates.
The issue exists across all affected versions noted above because the substitution and header construction do not strip or validate CR/LF sequences before composing email headers. The impact is limited to email header manipulation rather than direct database or file system modification, consistent with the CVSS integrity impact of Low and no confidentiality or availability impact.
How This Could Impact Your Website
Consider a site that uses Pagelayer contact forms to send notifications to staff. An unauthenticated external user could submit a form with specially crafted input in the email field. If the form uses placeholders in mail header templates, the attacker could inject additional recipient headers, causing form emails to be forwarded to unintended addresses.
In a realistic scenario, a site owner or internal staff member might receive form submissions as usual while Bcc or Cc headers cause copies to be sent externally. This can expose internal or staff email addresses indirectly via forwarded messages and increase the risk of targeted phishing or social engineering against staff or contractors who receive those messages.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and other non-administrator roles that can submit content or forms.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site and email delivery activity for unusual behavior, such as unexpected recipients on form-generated messages.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
