{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2442", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-13T01:21:59.845Z", "datePublished": "2026-03-28T09:27:10.474Z", "dateUpdated": "2026-03-30T18:27:20.098Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-28T09:27:10.474Z"}, "affected": [{"vendor": "softaculous", "product": "Page Builder: Pagelayer \u2013 Drag and Drop website builder", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers."}], "title": "Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce101aad-10a3-4a8c-9f4a-0e38e35b4dab?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3464204/pagelayer"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')", "cweId": "CWE-93", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Drew Webber"}], "timeline": [{"time": "2026-02-13T01:38:46.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-27T20:45:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:27:13.988527Z", "id": "CVE-2026-2442", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:27:20.098Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2442", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T18:27:13.988527Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:27:17.266Z"}}], "cna": {"title": "Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email'", "credits": [{"lang": "en", "type": "finder", "value": "Drew Webber"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "softaculous", "product": "Page Builder: Pagelayer \u2013 Drag and Drop website builder", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.0.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T01:38:46.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-27T20:45:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce101aad-10a3-4a8c-9f4a-0e38e35b4dab?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3464204/pagelayer"}], "descriptions": [{"lang": "en", "value": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-28T09:27:10.474Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2442", "state": "PUBLISHED", "dateUpdated": "2026-03-30T18:27:20.098Z", "dateReserved": "2026-02-13T01:21:59.845Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-28T09:27:10.474Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers."}], "id": "CVE-2026-2442", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-28T10:16:30.980", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3464204/pagelayer"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce101aad-10a3-4a8c-9f4a-0e38e35b4dab?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Page Builder: Pagelayer \u2013 Drag and Drop website builder", "source": "cna", "vendor": "softaculous"}, "product": "page_builder:_pagelayer_\u2013_drag_and_drop_website_builder", "vendor": "softaculous"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-28T10:20:24.316346+00:00", "value": {"mitigation_remediation": ["Update Pagelayer to a version newer than 2.0.7.", "If a patch is unavailable, disable placeholder usage in the email header template of the contact form to prevent CRLF injection.", "Apply server\u2011side sanitization to strip CR/LF characters from form input before it is used in email headers.", "Monitor email logs for unexpected header usage or unusual outbound mail activity."], "summary": {"action": "Patch", "impact": "Untrusted email header injection"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of the Pagelayer plugin for WordPress, developed by Softaculous, up to and including version\u202f2.0.7. Any WordPress site that has the contact form feature enabled and uses placeholder values in email headers is susceptible.", "description_and_impact": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress allows unauthenticated users to inject arbitrary email headers by exploiting improper CRLF neutralization in the contact form handler. The vulnerability stems from placeholder substitution that is then inserted into email headers without sanitization, enabling header injection such as Bcc or Cc. This can be used to send spam or redirect mail from the site, compromising the integrity of the website\u2019s email system.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates medium severity. EPSS data is not available, and the vulnerability is not listed in CISA KEV, but the lack of authentication required and the publicly accessible contact form make exploitation straightforward. Attackers can exploit the flaw by submitting crafted form data to inject headers, thereby misusing the site\u2019s email functionality or sending unwanted mail."}}}}, "created": "2026-03-29T20:32:37.842233+00:00", "updated": "2026-03-30T06:59:46.942062+00:00", "vendors": ["softaculous", "softaculous$PRODUCT$page_builder:_pagelayer_\u2013_drag_and_drop_website_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}