FKIE_CVE-2026-2442

Vulnerability from fkie_nvd - Published: 2026-03-28 10:16 - Updated: 2026-04-24 16:36
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers.
References
security@wordfence.comhttps://plugins.trac.wordpress.org/changeset/3464204/pagelayer
security@wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/ce101aad-10a3-4a8c-9f4a-0e38e35b4dab?source=cve
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the \u0027email\u0027 parameter granted they can target a contact form configured to use placeholders in mail template headers."
    },
    {
      "lang": "es",
      "value": "El Page Builder: Pagelayer \u2013 plugin constructor de sitios web de arrastrar y soltar para WordPress es vulnerable a la Neutralizaci\u00f3n Incorrecta de Secuencias CRLF (\u0027Inyecci\u00f3n CRLF\u0027) en todas las versiones hasta la 2.0.7, inclusive. Esto se debe a que el gestor del formulario de contacto realiza la sustituci\u00f3n de marcadores de posici\u00f3n en campos de formulario controlados por el atacante y luego pasa los valores resultantes a las cabeceras de correo electr\u00f3nico sin eliminar los caracteres CR/LF. Esto hace posible que atacantes no autenticados inyecten cabeceras de correo electr\u00f3nico arbitrarias (por ejemplo, Cco / Cc) y abusen de la entrega de correo electr\u00f3nico del formulario a trav\u00e9s del par\u00e1metro \u0027email\u0027, siempre que puedan apuntar a un formulario de contacto configurado para usar marcadores de posici\u00f3n en las cabeceras de la plantilla de correo."
    }
  ],
  "id": "CVE-2026-2442",
  "lastModified": "2026-04-24T16:36:24.067",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security@wordfence.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-28T10:16:30.980",
  "references": [
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/changeset/3464204/pagelayer"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce101aad-10a3-4a8c-9f4a-0e38e35b4dab?source=cve"
    }
  ],
  "sourceIdentifier": "security@wordfence.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-93"
        }
      ],
      "source": "security@wordfence.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.