CVE-2026-12127 PUBLISHED

WPForms <= 1.10.2 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via Reply-To Display Name

Assigner: Wordfence
Reserved: 12.06.2026 Published: 01.07.2026 Updated: 01.07.2026

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 1.10.2 This is due to get_reply_to_address() processing the Reply-To display name through smart-tag expansion with context 'notification' instead of 'notification-reply-to', which bypasses email-address validation while wpforms_sanitize_textarea_field() intentionally preserves CR/LF characters that are never stripped before the display name is concatenated into the raw Reply-To: mail header string. This makes it possible for unauthenticated attackers to inject arbitrary additional email headers — such as Bcc: — into outgoing notification emails, silently blind-copying all notification email copies to an attacker-controlled address. Exploitation requires that a form notification is configured to use a Paragraph Text (textarea) field as the Reply-To display name via a Smart Tag.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 5.3

Product Status

Vendor smub
Product WPForms – AI Form Builder for WordPress – Contact Forms, Payment Forms, Survey Form, Quiz & More
Versions Default: unaffected
  • affected from 0 to 1.10.2 (incl.)

Credits

  • Jack Pas (Dark.) finder

References

Problem Types

  • CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE