CVE-2026-2442— Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email'
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-2442
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email'
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对CRLF序列的转义处理不恰当(CRLF注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress plugin Pagelayer 注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Pagelayer 2.0.7及之前版本存在注入漏洞,该漏洞源于联系表单处理程序对攻击者控制的表单字段执行占位符替换后未移除CR/LF字符,可能导致CRLF注入攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| softaculous | Page Builder: Pagelayer – Drag and Drop website builder | * ~ 2.0.7 | - |
II. Public POCs for CVE-2026-2442
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-2442
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: Page Builder: Pagelayer – Drag and Drop website builder
- CVE-2026-2509
Page Builder: Pagelayer <= 2.0.8 - Authenticated (Contributo - CVE-2025-12366
Page Builder: Pagelayer – Drag and Drop website builder <= 2 - CVE-2025-4223
Page Builder: Pagelayer – Drag and Drop website builder <= 2 - CVE-2024-13427
Page Builder: Pagelayer – Drag and Drop website builder <= 2 - CVE-2025-2104
Page Builder: Pagelayer – Drag and Drop website builder <= 1
Same vendor: softaculous
- CVE-2026-2509
Page Builder: Pagelayer <= 2.0.8 - Authenticated (Contributo - CVE-2026-39469
WordPress PageLayer plugin <= 2.0.8 - Sensitive Data Exposur - CVE-2025-13085
SiteSEO – SEO Simplified <= 1.3.2 - Insecure Direct Object R - CVE-2025-12814
SiteSEO – SEO Simplified <= 1.3.2 - Improper Authorization t - CVE-2025-12366
Page Builder: Pagelayer – Drag and Drop website builder <= 2
Same weakness: CWE-93
- CVE-2026-42257
net-imap: Command Injection via "raw" arguments to multiple - CVE-2026-41570
PHPUnit: Argument injection via newline in PHP INI values fo - CVE-2026-41417
Netty vulnerable to HTTP request smuggling and RTSP request - CVE-2026-39849
Pi-hole FTL remote code execution via newline injection in d - CVE-2026-34458
Sandboxie-Plus privilege escalation via INI CRLF injection b
V. Comments for CVE-2026-2442
No comments yet