Vulnerability in Zinoui Http Headers
CVE-2026-2717
The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess…
Vulnerability class: CRLF Injection
EPSS: 0.000 (6.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H.
Affected products
- Zinoui Http Headers — versions 0
Weakness classification (CWE)
References
- www.wordfence.com/threat-intel/vulnerabilities/id/7716e77f-e899-4046-9421-86fc0…
- plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php
- plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php
- plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php
- plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php
Frequently asked questions
- What is CVE-2026-2717?
- CVE-2026-2717 is a medium-severity vulnerability in Zinoui Http Headers, classified under CRLF Injection. CVSS score: 5.5/10. Published 2026-04-22.
- How severe is CVE-2026-2717?
- Medium severity. CVSS v3 base score is 5.5 out of 10.