CVE-2026-2442

{"id": "CVE-2026-2442", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-03-28T10:16:30.980", "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3464204/pagelayer", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce101aad-10a3-4a8c-9f4a-0e38e35b4dab?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-93"}]}], "descriptions": [{"lang": "en", "value": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers."}, {"lang": "es", "value": "El Page Builder: Pagelayer \u2013 plugin constructor de sitios web de arrastrar y soltar para WordPress es vulnerable a la Neutralizaci\u00f3n Incorrecta de Secuencias CRLF ('Inyecci\u00f3n CRLF') en todas las versiones hasta la 2.0.7, inclusive. Esto se debe a que el gestor del formulario de contacto realiza la sustituci\u00f3n de marcadores de posici\u00f3n en campos de formulario controlados por el atacante y luego pasa los valores resultantes a las cabeceras de correo electr\u00f3nico sin eliminar los caracteres CR/LF. Esto hace posible que atacantes no autenticados inyecten cabeceras de correo electr\u00f3nico arbitrarias (por ejemplo, Cco / Cc) y abusen de la entrega de correo electr\u00f3nico del formulario a trav\u00e9s del par\u00e1metro 'email', siempre que puedan apuntar a un formulario de contacto configurado para usar marcadores de posici\u00f3n en las cabeceras de la plantilla de correo."}], "lastModified": "2026-04-24T16:36:24.067", "sourceIdentifier": "security@wordfence.com"}