Description
The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-04-22
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) that can execute arbitrary scripts on pages viewed by any user, potentially enabling session hijacking, defacement, or data theft.
Action: Apply Patch
AI Analysis

Impact

The HTTP Headers WordPress plugin allows administrators to add custom HTTP headers through a settings page. In versions up to 1.19.2, the input for this feature is not properly sanitized or escaped, creating a stored XSS vulnerability. An authenticated attacker with administrator rights can inject malicious scripts that will run whenever any user loads a page on the site. This flaw may lead to credential theft, defacement, or other malicious payload delivery.

Affected Systems

The vulnerability exists in the HTTP Headers plugin for WordPress, versions 1.19.2 and earlier. It only applies to multi‑site installations and sites where the "unfiltered_html" capability has been disabled, meaning that administrators can exploit the flaw in such environments.

Risk and Exploitability

The CVSS score of 4.4 indicates a moderate severity. Because the flaw requires administrator privileges, the attack surface is limited to users who have compromised or legitimately possess admin rights. No publicly available exploit is documented and the EPSS score is not available, further suggesting a lower likelihood of widespread exploitation. However, the vulnerability is not listed in CISA KEV, so it is not currently flagged in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to log into the WordPress dashboard, edit the Custom Headers setting, and inject malicious JavaScript that is then stored and served to all site visitors.

Generated by OpenCVE AI on April 22, 2026 at 09:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the HTTP Headers plugin to the latest available version (1.19.3 or newer) which removes the unsanitized input handling.
  • If an update cannot be applied immediately, temporarily disable the Custom Headers feature or remove the plugin entirely to eliminate the attack vector.
  • Verify that the unfiltered_html capability is not granted to non‑administrator roles as an additional precaution, ensuring that only trusted users can add custom HTML or scripts.

Generated by OpenCVE AI on April 22, 2026 at 09:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zinoui
Zinoui http Headers
Vendors & Products Wordpress
Wordpress wordpress
Zinoui
Zinoui http Headers

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title HTTP Headers <= 1.19.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Custom Headers' Plugin Setting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Zinoui Http Headers
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T15:31:52.544Z

Reserved: 2026-01-23T18:33:16.029Z

Link: CVE-2026-1379

cve-icon Vulnrichment

Updated: 2026-04-22T15:25:29.447Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:19.667

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-1379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:29Z

Weaknesses