CVE-2026-2442
Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email'The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers.
We have discovered 10,373 live websites that are affected by CVE-2026-2442.
Affected Software
| Product |  Pagelayer |
| Category | Wordpress Plugins |
| Vulnerable Domains | 10,373 live websites (71% of Pagelayer install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 84 versions ( 98% of all versions) |
Common Weakness Enumeration
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')Details
- Published - Mar 28, 2026
- Updated - Apr 8, 2026
Credits
- Drew Webber (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-2442 United States | 2,957 websites |
 GB | 653 websites |
 Italy | 592 websites |
 South Africa | 424 websites |
 Brazil | 401 websites |
 France | 386 websites |
 Indonesia | 369 websites |
 Canada | 357 websites |
 Germany | 338 websites |
 Romania | 334 websites |
Website Distribution by TLD
Number of websites using CVE-2026-2442| .com | 4,371 websites |
| .org | 637 websites |
| .it | 377 websites |
| .com.br | 366 websites |
| .net | 333 websites |
| .co.uk | 246 websites |
| .ca | 171 websites |
| .pl | 169 websites |
| .nl | 168 websites |
| .com.au | 129 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-2442
Top websites that are affected by CVE-2026-2442. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.****.edu | United States | ***,*** | |
| ****.ca | Canada | ***,*** | |
| *********.com |  Portugal | ***,*** | |
| **********.com | GB | ***,*** | |
| *********.com | United States | ***,*** | |
| ******.net | Indonesia | ***,*** | |
| ******************.net | Canada | ***,*** | |
| **********.com | United States | ***,*** | |
| **************.com | United States | ***,*** | |
| ******.org | United States | ***,*** |
FAQ
CVE-2026-2442 is Improper Neutralization of CRLF Sequences ('CRLF Injection') in Pagelayer
A total of 10,373 websites have been identified as vulnerable to CVE-2026-2442, based on global website indexing conducted by WebTechSurvey.
The Pagelayer is affected by the CVE-2026-2442 vulnerability.
Pagelayer versions up to and including 2.0.7 are vulnerable to CVE-2026-2442.