Page Builder: Pagelayer
Moderate fix1 remedy
cpe:2.3:a:pagelayer:pagelayer:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 2.0.7
Page Builder: Pagelayer CRLF Injection Vulnerability Allowing Unauthenticated Email Header Injection
Vulnerability
Patched
A CRLF injection vulnerability has been identified in the Page Builder: Pagelayer WordPress plugin, affecting all versions through 2.0.7. The issue arises because the contact form handler substitutes placeholders in user-controlled form fields and then transfers the modified values into email headers without stripping CR/LF characters. This flaw enables unauthenticated attackers to inject arbitrary email headers, such as Bcc or Cc, and manipulate email delivery through the 'email' parameter, provided they target a contact form that uses placeholders in the mail template headers.
Impact
Exploitation of this vulnerability allows for unauthorized injection of email headers, which could be misused to manipulate email delivery processes, such as adding unintended recipients via Bcc or Cc headers.
Remediation
Users are advised to update the Page Builder: Pagelayer plugin to version 2.0.8 or a later patched version.
Added: Mar 28, 2026, 10:18 AM
Updated: Mar 28, 2026, 10:18 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
1.3exploitability
9.0remediation
7.7relevance
4.8threat
3.2urgency
2.9incentive
8.3Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.