CVE-2026-2442

Name of the Vulnerable Software and Affected Versions Page Builder: Pagelayer versions up to and including 2.0.7

Description The Page Builder: Pagelayer WordPress plugin is susceptible to CRLF Injection due to improper handling of Carriage Return and Line Feed characters in the contact form handler. The plugin performs placeholder substitution on attacker-controlled form fields and passes the resulting values into email headers without removing CR/LF characters. This allows unauthenticated attackers to inject arbitrary email headers, such as Bcc or Cc, and potentially abuse form email delivery through the email parameter, provided they can target a contact form configured to use placeholders in mail template headers.

Recommendations Update Page Builder: Pagelayer to a version later than 2.0.7