{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2717", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-18T21:00:50.620Z", "datePublished": "2026-04-22T07:45:37.169Z", "dateUpdated": "2026-04-22T07:45:37.169Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:37.169Z"}, "affected": [{"vendor": "zinoui", "product": "HTTP Headers", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.19.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary newline characters and additional Apache directives into the .htaccess configuration file via the 'Custom Headers' settings, leading to Apache configuration parse errors and potential site-wide denial of service."}], "title": "HTTP Headers <= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7716e77f-e899-4046-9421-86fc0c36c245?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L1098"}, {"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L1098"}, {"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L745"}, {"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L745"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')", "cweId": "CWE-93", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kai Aizen"}], "timeline": [{"time": "2026-04-21T19:13:17.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary newline characters and additional Apache directives into the .htaccess configuration file via the 'Custom Headers' settings, leading to Apache configuration parse errors and potential site-wide denial of service."}], "id": "CVE-2026-2717", "lastModified": "2026-04-22T09:16:20.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:20.987", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L1098"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L745"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L1098"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L745"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7716e77f-e899-4046-9421-86fc0c36c245?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T09:24:55.787582+00:00", "value": {"mitigation_remediation": ["Upgrade the HTTP Headers plugin to version 1.20 or newer, which contains the fix for CRLF injection.", "If an upgrade cannot be applied immediately, temporarily disable the custom headers feature or delete any existing custom header entries to eliminate the injection vector.", "Modify the plugin\u2019s input handling to strip or reject CRLF sequences from header names and values, ensuring only allowed characters reach the .htaccess file."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via corrupted Apache configuration"}, "threat_synthesis": {"affected_systems": "Vendors and products affected are the Zinoui HTTP Headers WordPress plugin. All releases up to and including version 1.19.2 are vulnerable. No specific build or platform details are listed beyond the WordPress environment.", "description_and_impact": "Authenticated administrators can exploit the HTTP Headers WordPress plugin by inserting CRLF characters into custom header names or values, causing malicious newline insertion into the site\u2019s .htaccess file. This injection is permitted because the plugin fails to sanitize user input before writing to .htaccess through insert_with_markers. The injected directives can break the Apache configuration and lead to site-wide service disruption, consistent with CWE\u201193.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5.5, indicating a moderate severity. No EPSS score is available and the issue is not listed in the CISA KEV catalog. The attack requires authenticated Administrator\u2011level access to the WordPress dashboard, after which an attacker can craft malicious header values and trigger the injection. If exploited, the effect is a denial of service resulting from corrupt .htaccess parsing."}}}}, "created": "2026-04-22T09:30:13.554360+00:00", "updated": "2026-04-22T09:30:13.554371+00:00", "vendors": []}