Pagelayer < 2.0.8 – Unauthenticated Email Header Injection via 'email' | CVE 2026-2442 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers.

Affects Plugins

Fixed in 2.0.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ce101aad-10a3-4a8c-9f4a-0e38e35b4dab

Classification

Type

INJECTION

OWASP top 10

CVSS

Miscellaneous

Original Researcher

Drew Webber (mcdruid)

Verified

No

WPVDB ID

569a93c9-e931-4717-8be6-392fa935da8b

Timeline

Publicly Published

2026-03-27 (about 1 month ago)

Added

2026-03-30 (about 1 month ago)

Last Updated

2026-03-30 (about 1 month ago)

Other

Published

Title

Published

2024-08-27

Title

Relevanssi Live Ajax Search < 2.5 - Unauthenticated WP_Query Argument Injection

Published

2023-06-23

Title

Supsystic Popup < 1.10.19 - Prototype Pollution

Published

2024-07-17

Title

Cooked Pro < 1.8.0 - Authenticated (Contributor+) HTML Injection

Published

2018-05-01

Title

Form Maker by WD < 1.12.24 - CSV Injection

Published

2021-10-11

Title

Loco Translate < 2.5.4 - Authenticated PHP Code Injection