{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1379", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-23T18:33:16.029Z", "datePublished": "2026-04-22T07:45:29.518Z", "dateUpdated": "2026-04-22T07:45:29.518Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:29.518Z"}, "affected": [{"vendor": "zinoui", "product": "HTTP Headers", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.19.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "HTTP Headers <= 1.19.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Custom Headers' Plugin Setting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02e63068-02a8-4106-b64e-430c24815e55?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/views/manual.php#L18"}, {"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/views/manual.php#L18"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Daniel Basta"}], "timeline": [{"time": "2026-04-21T19:13:16.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2026-1379", "lastModified": "2026-04-22T09:16:19.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:19.667", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/views/manual.php#L18"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/views/manual.php#L18"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02e63068-02a8-4106-b64e-430c24815e55?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T09:55:28.824351+00:00", "value": {"mitigation_remediation": ["Update the HTTP Headers plugin to the latest available version (1.19.3 or newer) which removes the unsanitized input handling.", "If an update cannot be applied immediately, temporarily disable the Custom Headers feature or remove the plugin entirely to eliminate the attack vector.", "Verify that the unfiltered_html capability is not granted to non\u2011administrator roles as an additional precaution, ensuring that only trusted users can add custom HTML or scripts."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (XSS) that can execute arbitrary scripts on pages viewed by any user, potentially enabling session hijacking, defacement, or data theft."}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the HTTP Headers plugin for WordPress, versions 1.19.2 and earlier. It only applies to multi\u2011site installations and sites where the \"unfiltered_html\" capability has been disabled, meaning that administrators can exploit the flaw in such environments.", "description_and_impact": "The HTTP Headers WordPress plugin allows administrators to add custom HTTP headers through a settings page. In versions up to 1.19.2, the input for this feature is not properly sanitized or escaped, creating a stored XSS vulnerability. An authenticated attacker with administrator rights can inject malicious scripts that will run whenever any user loads a page on the site. This flaw may lead to credential theft, defacement, or other malicious payload delivery.", "risk_and_exploitability": "The CVSS score of 4.4 indicates a moderate severity. Because the flaw requires administrator privileges, the attack surface is limited to users who have compromised or legitimately possess admin rights. No publicly available exploit is documented and the EPSS score is not available, further suggesting a lower likelihood of widespread exploitation. However, the vulnerability is not listed in CISA KEV, so it is not currently flagged in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to log into the WordPress dashboard, edit the Custom Headers setting, and inject malicious JavaScript that is then stored and served to all site visitors."}}}}, "created": "2026-04-22T10:00:10.251336+00:00", "updated": "2026-04-22T10:00:10.251347+00:00", "vendors": []}