CRLF Injection Vulnerability in WPForms Plugin by WPForms
CVE-2026-12127
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-12127?
The WPForms plugin for WordPress is susceptible to a CRLF Injection vulnerability across all versions up to and including 1.10.2. This vulnerability arises from the improper handling of the Reply-To display name during smart-tag expansion, which bypasses essential email-address validation. The function get_reply_to_address() processes the display name in the wrong context, allowing attackers to exploit the behavior of wpforms_sanitize_textarea_field(), which fails to strip certain CR/LF characters. Consequently, this vulnerability enables unauthenticated parties to inject arbitrary email headers, including the Bcc header, into outgoing notification emails, potentially forwarding email copies to an attacker-controlled address. A configuration that utilizes a Paragraph Text (textarea) field for the Reply-To display name is required for exploitation.
Affected Version(s)
WPForms β AI Form Builder for WordPress β Contact Forms, Payment Forms, Survey Form, Quiz & More 0 <= 1.10.2