CVE-2026-2717
HTTP Headers <= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values
CVSS Score
5.5
EPSS Score
0.0%
EPSS Percentile
0th
The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary newline characters and additional Apache directives into the .htaccess configuration file via the 'Custom Headers' settings, leading to Apache configuration parse errors and potential site-wide denial of service.
| CWE | CWE-93 |
| Vendor | zinoui |
| Product | http headers |
| Published | Apr 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for zinoui http headers
Be the first to know when new medium vulnerabilities affecting zinoui http headers are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
zinoui / HTTP Headers
0 โค 1.19.2
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/7716e77f-e899-4046-9421-86fc0c36c245?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L1098 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L1098 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L745 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L745
Credits
Kai Aizen