CVE-2026-2717

Name of the Vulnerable Software and Affected Versions HTTP Headers plugin for WordPress versions prior to 1.19.3

Description Insufficient sanitization of custom header name and value fields before they are written to the Apache .htaccess file via the insert with markers() function allows authenticated attackers with Administrator-level access or higher to perform CRLF Injection. This involves injecting arbitrary newline characters and additional Apache directives into the .htaccess configuration file through the 'Custom Headers' settings, which can result in Apache configuration parse errors and a potential site-wide denial of service.

Recommendations Update the plugin to a version newer than 1.19.2. As a temporary workaround, restrict access to the 'Custom Headers' settings to minimize the risk of exploitation.