CVE-2026-4132: CWE-73 External Control of File Name or Path in zinoui HTTP Headers
The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading to Remote Code Execution in all versions up to and including 1.19.2. This is due to insufficient validation of the file path stored in the 'hh_htpasswd_path' option and lack of sanitization on the 'hh_www_authenticate_user' option value. The plugin allows administrators to set an arbitrary file path for the htpasswd file location and does not validate that the path has a safe file extension (e.g., restricting to .htpasswd). Additionally, the username field used for HTTP Basic Authentication is written directly into the file without sanitization. The apache_auth_credentials() function constructs the file content using the unsanitized username via sprintf('%s:{SHA}%s', $user, ...), and update_auth_credentials() writes this content to the attacker-controlled path via file_put_contents(). This makes it possible for authenticated attackers, with Administrator-level access and above, to write arbitrary content (including PHP code) to arbitrary file paths on the server, effectively achieving Remote Code Execution.
AI Analysis
Technical Summary
The zinoui HTTP Headers plugin for WordPress suffers from an External Control of File Name or Path vulnerability (CWE-73) due to improper validation of the 'hh_htpasswd_path' option and lack of sanitization of the 'hh_www_authenticate_user' option. The plugin allows administrator-level users to specify arbitrary file paths for the htpasswd file and directly writes unsanitized usernames into this file. The apache_auth_credentials() function formats the file content using the unsanitized username, and update_auth_credentials() writes this content to the attacker-controlled path using file_put_contents(). This chain enables authenticated administrators to write arbitrary files, including executable PHP code, resulting in remote code execution on the server. The vulnerability affects all versions up to and including 1.19.2. The CVSS v3.1 base score is 7.2, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Potential Impact
An attacker with administrator-level privileges can exploit this vulnerability to write arbitrary files, including PHP code, to arbitrary locations on the server. This leads to remote code execution, allowing full compromise of the affected server's confidentiality, integrity, and availability. The vulnerability poses a significant risk to affected WordPress sites using the zinoui HTTP Headers plugin up to version 1.19.2.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are currently available. Until a vendor-provided patch or official fix is released, administrators should restrict access to the plugin settings to trusted users only and avoid using the vulnerable plugin version. Monitor the vendor's advisory channels for updates and apply official patches immediately once available.
CVE-2026-4132: CWE-73 External Control of File Name or Path in zinoui HTTP Headers
Description
The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading to Remote Code Execution in all versions up to and including 1.19.2. This is due to insufficient validation of the file path stored in the 'hh_htpasswd_path' option and lack of sanitization on the 'hh_www_authenticate_user' option value. The plugin allows administrators to set an arbitrary file path for the htpasswd file location and does not validate that the path has a safe file extension (e.g., restricting to .htpasswd). Additionally, the username field used for HTTP Basic Authentication is written directly into the file without sanitization. The apache_auth_credentials() function constructs the file content using the unsanitized username via sprintf('%s:{SHA}%s', $user, ...), and update_auth_credentials() writes this content to the attacker-controlled path via file_put_contents(). This makes it possible for authenticated attackers, with Administrator-level access and above, to write arbitrary content (including PHP code) to arbitrary file paths on the server, effectively achieving Remote Code Execution.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The zinoui HTTP Headers plugin for WordPress suffers from an External Control of File Name or Path vulnerability (CWE-73) due to improper validation of the 'hh_htpasswd_path' option and lack of sanitization of the 'hh_www_authenticate_user' option. The plugin allows administrator-level users to specify arbitrary file paths for the htpasswd file and directly writes unsanitized usernames into this file. The apache_auth_credentials() function formats the file content using the unsanitized username, and update_auth_credentials() writes this content to the attacker-controlled path using file_put_contents(). This chain enables authenticated administrators to write arbitrary files, including executable PHP code, resulting in remote code execution on the server. The vulnerability affects all versions up to and including 1.19.2. The CVSS v3.1 base score is 7.2, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Potential Impact
An attacker with administrator-level privileges can exploit this vulnerability to write arbitrary files, including PHP code, to arbitrary locations on the server. This leads to remote code execution, allowing full compromise of the affected server's confidentiality, integrity, and availability. The vulnerability poses a significant risk to affected WordPress sites using the zinoui HTTP Headers plugin up to version 1.19.2.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are currently available. Until a vendor-provided patch or official fix is released, administrators should restrict access to the plugin settings to trusted users only and avoid using the vulnerable plugin version. Monitor the vendor's advisory channels for updates and apply official patches immediately once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-13T14:17:17.140Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8877019fe3cd2cd808fd1
Added to database: 4/22/2026, 8:31:44 AM
Last enriched: 4/22/2026, 8:46:10 AM
Last updated: 4/23/2026, 1:04:51 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.