[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fK3FHIBoCOQzg7NWQwBIvO5T8kuJOr8NHJvLry-SUq2s":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":27},"CVE-2026-2717","http-headers-authenticated-administrator-crlf-injection-via-custom-header-values","HTTP Headers \u003C= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values","The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary newline characters and additional Apache directives into the .htaccess configuration file via the 'Custom Headers' settings, leading to Apache configuration parse errors and potential site-wide denial of service.","http-headers",null,"\u003C=1.19.2","medium",5.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:H","Improper Neutralization of CRLF Sequences ('CRLF Injection')","2026-04-21 19:13:17","2026-05-04 15:40:50",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7716e77f-e899-4046-9421-86fc0c36c245?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2717 (CRLF Injection in HTTP Headers)\n\n## 1. Vulnerability Summary\nThe **HTTP Headers** plugin (\u003C= 1.19.2) is vulnerable to **CRLF Injection** via the \"Custom Headers\" configuration. The plugin allows administrators to define arbitrary HTTP headers which are then written to the site's `.htaccess` file using the WordPress core function `insert_with_markers()`. \n\nThe vulnerability exists because the plugin fails to sanitize or validate the input fields for custom header names and values against newline characters (`\\n`, `\\r`). An attacker with Administrator privileges can inject CRLF sequences followed by arbitrary Apache directives. When these are written to `.htaccess`, Apache fails to parse the configuration, resulting in a site-wide **500 Internal Server Error (Denial of Service)**.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: WordPress Admin Dashboard Settings Page (typically `options-general.php?page=http-headers-custom-headers` or similar).\n*   **Vulnerable Parameter**: Input fields for custom header names\u002Fvalues (e.g., `http_headers_custom[name][]` and `http_headers_custom[value][]`).\n*   **Authentication**: Authenticated, Administrator role required.\n*   **Preconditions**:\n    *   The site must be running on an **Apache** web server.\n    *   The `.htaccess` file must be writable by the web server\u002FWordPress.\n    *   The \"Custom Headers\" feature must be active or accessible.\n\n## 3. Code Flow\n1.  **Entry Point**: The administrator navigates to the plugin settings and submits the \"Custom Headers\" form.\n2.  **Form Submission**: The data is sent to `options.php` (standard Settings API) or a custom POST handler in the plugin.\n3.  **Processing**: The plugin retrieves the array of custom headers.\n4.  **Generation**: A string of Apache directives is built, typically using the format: `Header set [NAME] \"[VALUE]\"` (inferred).\n5.  **Sink**: The plugin calls `insert_with_markers( get_home_path() . '.htaccess', 'HTTP Headers', $rules )`.\n6.  **Vulnerability**: Because `$rules` contains unsanitized user input with `\\n`, the generated `.htaccess` block breaks out of the intended `Header` directive.\n\n## 4. Nonce Acquisition Strategy\nThis exploit requires an authenticated Administrator session. Since it involves modifying plugin settings, a standard WordPress settings nonce is required.\n\n1.  **Login**: Authenticate as an Administrator using `wp_cli` or `http_request`.\n2.  **Navigate**: Access the Custom Headers settings page.\n3.  **Identify Variable**: Look for the `_wpnonce` field in the form or the localized JS variable if the plugin uses AJAX.\n4.  **Extraction**:\n    *   Navigate to: `\u002Fwp-admin\u002Foptions-general.php?page=http-headers` (exact slug to be verified).\n    *   Use `browser_eval` to get the nonce:\n        ```javascript\n        \u002F\u002F Search for the nonce in the settings form\n        document.querySelector('input[name=\"_wpnonce\"]')?.value;\n        ```\n\n## 5. Exploitation Strategy\nThe goal is to inject a malformed Apache directive into `.htaccess` to cause a 500 error.\n\n### Step 1: Discover Setting Parameters\nAccess the settings page and identify the name of the option and the field names.\n*   **Inferred URL**: `\u002Fwp-admin\u002Foptions-general.php?page=http-headers`\n*   **Inferred Field Name**: `http_headers_custom_headers[0][value]`\n\n### Step 2: Prepare the Payload\nThe payload will use a newline to break the `Header` directive and insert a syntax error.\n*   **Payload Name**: `X-Safe-Header`\n*   **Payload Value**: `SafeValue\" \\n Malformed-Directive-Here`\n*   **Resulting `.htaccess` logic**:\n    ```apache\n    # BEGIN HTTP Headers\n    Header set X-Safe-Header \"SafeValue\"\n    Malformed-Directive-Here\n    # END HTTP Headers\n    ```\n\n### Step 3: Execute Request\nSubmit the settings form via `http_request`.\n\n**Request Details**:\n*   **Method**: `POST`\n*   **URL**: `https:\u002F\u002F[target]\u002Fwp-admin\u002Foptions.php`\n*   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body**:\n    ```text\n    option_page=http_headers_settings_group&\n    action=update&\n    _wpnonce=[NONCE]&\n    http_headers_custom_headers[0][name]=X-EVIL&\n    http_headers_custom_headers[0][value]=Injected\"\\nUnrecognizedDirective&\n    submit=Save+Changes\n    ```\n\n## 6. Test Data Setup\n1.  **Requirement**: WordPress installed on Apache.\n2.  **User**: `wp user create attacker admin@example.com --role=administrator --user_pass=password`\n3.  **Plugin Configuration**:\n    *   Ensure the \"HTTP Headers\" plugin is active.\n    *   Check if a \"Custom Headers\" sub-tab exists within the plugin settings.\n\n## 7. Expected Results\n*   **Immediate Effect**: After the `POST` request, the application should return a 500 Internal Server Error (or the next request to any page will).\n*   **Root Cause**: The `.htaccess` file now contains:\n    ```apache\n    Header set X-EVIL \"Injected\"\n    UnrecognizedDirective\n    ```\n*   **Response**: HTTP 500.\n\n## 8. Verification Steps\nAfter attempting the exploit, use the terminal\u002FWP-CLI to verify the file corruption:\n1.  **Check .htaccess**: `cat \u002Fvar\u002Fwww\u002Fhtml\u002F.htaccess`\n    *   Verify the content between `# BEGIN HTTP Headers` and `# END HTTP Headers` contains the injected newline and the `UnrecognizedDirective`.\n2.  **Confirm Site Status**: `curl -I http:\u002F\u002Flocalhost:8080\u002F`\n    *   Expect `HTTP\u002F1.1 500 Internal Server Error`.\n3.  **Cleanup**: `wp plugin deactivate http-headers` (if possible) or manually edit `.htaccess` to remove the broken block.\n\n## 9. Alternative Approaches\n*   **Blind Injection**: If the goal is not DoS, but bypass, try injecting `\\nHeader set Access-Control-Allow-Origin \"*\"` to modify security policies.\n*   **Comment Injection**: If a directive name is required, use `\\n# Injected Comment` to verify injection without crashing the site initially.\n*   **Different Marker**: Check if the plugin uses a different marker name in `insert_with_markers` (e.g., `insert_with_markers( ..., 'HTTP_HEADERS', ... )`).\n*   **Field Targeting**: If the `value` field is escaped but the `name` field is not, move the payload to the header name field: `X-Header\"\\nMalformedDirective: `.","gemini-3-flash-preview","2026-04-27 13:52:35","2026-04-27 13:52:51",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhttp-headers\u002Ftags"]