Description
The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary newline characters and additional Apache directives into the .htaccess configuration file via the 'Custom Headers' settings, leading to Apache configuration parse errors and potential site-wide denial of service.
Published: 2026-04-22
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via corrupted Apache configuration
Action: Apply Patch
AI Analysis

Impact

Authenticated administrators can exploit the HTTP Headers WordPress plugin by inserting CRLF characters into custom header names or values, causing malicious newline insertion into the site’s .htaccess file. This injection is permitted because the plugin fails to sanitize user input before writing to .htaccess through insert_with_markers. The injected directives can break the Apache configuration and lead to site-wide service disruption, consistent with CWE‑93.

Affected Systems

Vendors and products affected are the Zinoui HTTP Headers WordPress plugin. All releases up to and including version 1.19.2 are vulnerable. No specific build or platform details are listed beyond the WordPress environment.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.5, indicating a moderate severity. No EPSS score is available and the issue is not listed in the CISA KEV catalog. The attack requires authenticated Administrator‑level access to the WordPress dashboard, after which an attacker can craft malicious header values and trigger the injection. If exploited, the effect is a denial of service resulting from corrupt .htaccess parsing.

Generated by OpenCVE AI on April 22, 2026 at 09:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HTTP Headers plugin to version 1.20 or newer, which contains the fix for CRLF injection.
  • If an upgrade cannot be applied immediately, temporarily disable the custom headers feature or delete any existing custom header entries to eliminate the injection vector.
  • Modify the plugin’s input handling to strip or reject CRLF sequences from header names and values, ensuring only allowed characters reach the .htaccess file.

Generated by OpenCVE AI on April 22, 2026 at 09:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zinoui
Zinoui http Headers
Vendors & Products Wordpress
Wordpress wordpress
Zinoui
Zinoui http Headers

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary newline characters and additional Apache directives into the .htaccess configuration file via the 'Custom Headers' settings, leading to Apache configuration parse errors and potential site-wide denial of service.
Title HTTP Headers <= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Wordpress Wordpress
Zinoui Http Headers
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T18:29:28.392Z

Reserved: 2026-02-18T21:00:50.620Z

Link: CVE-2026-2717

cve-icon Vulnrichment

Updated: 2026-04-22T18:29:12.898Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:20.987

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-2717

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:05Z

Weaknesses