Vulnerability in Zinoui Http Headers
CVE-2026-4132
The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading to Remote Code Execution in all versions up to and including 1.19.2. This is due to insufficient validation of the file path stored in the…
EPSS: 0.006 (68.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Zinoui Http Headers — versions 0
Weakness classification (CWE)
References
- www.wordfence.com/threat-intel/vulnerabilities/id/ce010c6f-16bd-4178-a621-31ba6…
- plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php
- plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php
- plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php
- plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php
- plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php
- plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php
- plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php
- plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php
- plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php
Frequently asked questions
- What is CVE-2026-4132?
- CVE-2026-4132 is a high-severity vulnerability in Zinoui Http Headers, classified under External Control of File Name or Path. CVSS score: 7.2/10. Published 2026-04-22.
- How severe is CVE-2026-4132?
- High severity. CVSS v3 base score is 7.2 out of 10.