CVE-2026-4132

Name of the Vulnerable Software and Affected Versions HTTP Headers plugin for WordPress versions prior to 1.19.3

Description Insufficient validation of the file path stored in the hh htpasswd path option and lack of sanitization on the hh www authenticate user option value allow authenticated attackers with Administrator-level access and above to achieve Remote Code Execution. The plugin permits setting an arbitrary file path for the htpasswd file without restricting it to safe extensions. The apache auth credentials() function constructs file content using an unsanitized username via sprintf(), and the update auth credentials() function writes this content to the attacker-controlled path using file put contents(), enabling the writing of arbitrary content, such as PHP code, to the server.

Recommendations Update the plugin to a version newer than 1.19.2.