CRLF Injection Vulnerability in WPForms Plugin by WPForms
CVE-2026-12127

5.3MEDIUM

What is CVE-2026-12127?

The WPForms plugin for WordPress is susceptible to a CRLF Injection vulnerability across all versions up to and including 1.10.2. This vulnerability arises from the improper handling of the Reply-To display name during smart-tag expansion, which bypasses essential email-address validation. The function get_reply_to_address() processes the display name in the wrong context, allowing attackers to exploit the behavior of wpforms_sanitize_textarea_field(), which fails to strip certain CR/LF characters. Consequently, this vulnerability enables unauthenticated parties to inject arbitrary email headers, including the Bcc header, into outgoing notification emails, potentially forwarding email copies to an attacker-controlled address. A configuration that utilizes a Paragraph Text (textarea) field for the Reply-To display name is required for exploitation.

Affected Version(s)

WPForms – AI Form Builder for WordPress – Contact Forms, Payment Forms, Survey Form, Quiz & More 0 <= 1.10.2

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jack Pas (Dark.)
.