Skip to main content
CVE Vulnerability Database

CVE-2026-2442: Pagelayer WordPress Plugin CRLF Injection

CVE-2026-2442 is a CRLF injection vulnerability in the Pagelayer WordPress plugin that allows attackers to inject malicious email headers. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2026-2442 Overview

CVE-2026-2442 affects the Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress in all versions up to and including 2.0.7. The plugin's contact form handler performs placeholder substitution on attacker-controlled form fields, then passes the resulting values into email headers without stripping CR/LF characters. Unauthenticated attackers can inject arbitrary email headers such as Bcc or Cc through the email parameter when a contact form is configured to use placeholders in mail template headers. Successful exploitation enables abuse of the site's mail delivery to send messages to attacker-chosen recipients.

Critical Impact

Unauthenticated attackers can inject arbitrary email headers and abuse the WordPress site's contact form to deliver mail to attacker-selected recipients.

Affected Products

  • Pagelayer WordPress plugin versions ≤ 2.0.7
  • WordPress sites running Pagelayer contact forms with placeholders in mail template headers
  • Hosting environments where the plugin's sendmail flow is exposed to unauthenticated visitors

Discovery Timeline

  • 2026-03-28 - CVE-2026-2442 published to NVD
  • 2026-04-24 - Last updated in NVD database

Technical Details for CVE-2026-2442

Vulnerability Analysis

The flaw is a CRLF Injection issue classified under [CWE-93]: Improper Neutralization of CRLF Sequences. The Pagelayer contact form handler accepts user-supplied input through fields such as email, then substitutes those values into mail template placeholders. Resulting strings flow directly into PHP mail header construction without sanitization of carriage return (\r) or line feed (\n) characters.

Email header parsers treat CRLF as a header separator. An attacker who submits a value containing \r\n followed by a new header name and value can append arbitrary headers to outbound mail. The vulnerability requires a contact form configured to reference user input inside header placeholders, which is a common Pagelayer configuration. No authentication is required to reach the form handler.

Root Cause

The root cause is missing neutralization of CR/LF characters during placeholder substitution. The handler trusts that form input destined for email body context is safe for use in headers. When the configured mail template inserts a placeholder such as {{email}} into a header line, attacker-controlled CRLF sequences terminate the intended header and introduce new ones.

Attack Vector

The attack vector is network-based and unauthenticated. An attacker submits a crafted contact form request where the email parameter contains URL-encoded CRLF sequences followed by header names such as Bcc: and a list of recipient addresses. The injected headers cause the WordPress server to deliver the form-generated email to attacker-specified addresses in addition to the configured recipient. This enables spam relay, phishing campaigns leveraging the site's reputation, and reconnaissance of internal mail routing. See the Wordfence Vulnerability Report for behavioral analysis.

Detection Methods for CVE-2026-2442

Indicators of Compromise

  • Outbound mail from the WordPress host containing unexpected Bcc or Cc recipients not defined in plugin settings
  • POST requests to Pagelayer contact form endpoints where the email parameter contains %0d%0a, %0a, or raw CRLF byte sequences
  • Spikes in mail queue volume or bounce notifications for recipients unrelated to the site owner
  • Web server access logs showing repeated submissions to the same form from a single source with unusual payload lengths

Detection Strategies

  • Inspect HTTP request bodies destined for Pagelayer form handlers for \r\n sequences inside any field that maps to a mail header placeholder
  • Correlate WordPress wp_mail invocations with outbound SMTP traffic and flag messages whose header recipient count exceeds the configured form recipients
  • Apply WAF rules that decode URL-encoded input and block CRLF patterns in fields named email, name, subject, or other Pagelayer form keys

Monitoring Recommendations

  • Enable verbose logging on the mail transport agent and review headers of messages originated by the WordPress process
  • Monitor for new Bcc, Cc, Content-Type, or MIME-Version headers appearing in mail produced by Pagelayer forms
  • Track plugin file integrity for pagelayer directory contents to confirm patch deployment

How to Mitigate CVE-2026-2442

Immediate Actions Required

  • Update the Pagelayer plugin to a version later than 2.0.7 that includes the fix referenced in the WordPress Plugin Changeset
  • Audit existing contact form configurations and remove user-controlled placeholders from header fields such as From, Reply-To, Cc, and Bcc
  • Review recent mail logs for evidence of injected recipients prior to patching

Patch Information

The vendor addressed the issue in the Pagelayer plugin through the changeset published at the WordPress plugin repository. The fix strips CR and LF characters from values substituted into mail headers. Administrators should apply the update through the WordPress plugin dashboard or by replacing plugin files directly from the official repository.

Workarounds

  • Reconfigure all Pagelayer contact forms so that no user-submitted field is referenced inside mail template header lines, restricting placeholders to the message body only
  • Deploy a WAF rule that rejects POST requests containing %0d, %0a, or raw CRLF bytes in submissions to Pagelayer form endpoints
  • Restrict outbound SMTP from the WordPress host to approved relay servers that enforce recipient allowlists
bash
# Example WAF rule fragment to block CRLF in Pagelayer form submissions
SecRule REQUEST_URI "@contains pagelayer" \
    "chain,phase:2,deny,status:400,id:1002442,msg:'CVE-2026-2442 CRLF injection attempt'"
    SecRule ARGS "@rx (?:%0[ad]|\r|\n)" "t:lowercase,t:urlDecodeUni"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.