Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AC:H reflects the required non-default admin configuration as a gating precondition; C:L added because notification email content including PII is disclosed to the attacker via Bcc injection.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WPForms - Easy Form Builder for WordPress - Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 1.10.2 This is due to get_reply_to_address() processing the Reply-To display name through smart-tag expansion with context 'notification' instead of 'notification-reply-to', which bypasses email-address validation while wpforms_sanitize_textarea_field() intentionally preserves CR/LF characters that are never stripped before the display name is concatenated into the raw Reply-To: mail header string. This makes it possible for unauthenticated attackers to inject arbitrary additional email headers - such as Bcc: - into outgoing notification emails, silently blind-copying all notification email copies to an attacker-controlled address. Exploitation requires that a form notification is configured to use a Paragraph Text (textarea) field as the Reply-To display name via a Smart Tag.
AnalysisAI
CRLF injection in WPForms plugin for WordPress (all versions up to and including 1.10.2) enables unauthenticated attackers to silently blind-copy all site notification emails to an attacker-controlled address. The flaw originates from get_reply_to_address() applying the wrong smart-tag expansion context, allowing CR/LF characters preserved by wpforms_sanitize_textarea_field() to pass unstripped into raw mail header concatenation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a site administrator has explicitly configured a form notification to use a Paragraph Text (textarea) field as the Reply-To display name source via a WPForms Smart Tag (e.g., a `{field_id="N"}` Smart Tag pointing to a textarea-type field). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The reported CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately reflects network accessibility and the absence of authentication requirements, but the C:N rating understates real-world impact: successful exploitation silently copies all notification emails - which typically contain form submission data including PII such as names, contact details, and message content - to an attacker-controlled address, representing a genuine confidentiality breach that warrants at minimum C:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a WordPress site running WPForms where a public-facing form has been configured to use a Paragraph Text (textarea) field as the Reply-To display name via a Smart Tag - a configuration sometimes used to dynamically echo a submitter's freeform name into the reply header. The attacker submits the form with a crafted textarea value such as `Attacker Name Bcc: attacker@evil.com`, which passes through `wpforms_sanitize_textarea_field()` with the CRLF intact and is concatenated unstripped into the outgoing `Reply-To:` header. … |
| Remediation | Update WPForms (wpforms-lite) to version 1.10.2.1 or later, which addresses the CRLF injection by correcting the smart-tag expansion context in `get_reply_to_address()` and ensuring CR/LF characters are stripped before header concatenation, as confirmed by the WordPress plugin repository changeset at https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpforms-lite/tags/1.10.2&new_path=%2Fwpforms-lite/tags/1.10.2.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40907
GHSA-95c2-pg6v-7hqp