CVE-2026-4132 HIGH

CVE-2026-4132: HTTP Headers <= 1.19.2 - Authenticated (Administrator+) External Control of File Name or Path to RCE via 'hh_htpasswd_path' and 'hh_www_authenticate_user' Parameters

Vendor Zinoui
Product HTTP Headers
Weakness CWE-73
Published April 22, 2026
Last update April 22, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading to Remote Code Execution in all versions up to and including 1.19.2. This is due to insufficient validation of the file path stored in the 'hh_htpasswd_path' option and lack of sanitization on the 'hh_www_authenticate_user' option value. The plugin allows administrators to set an arbitrary file path for the htpasswd file location and does not validate that the path has a safe file extension (e.g., restricting to .htpasswd). Additionally, the username field used for HTTP Basic Authentication is written directly into the file without sanitization. The apache_auth_credentials() function constructs the file content using the unsanitized username via sprintf('%s:{SHA}%s', $user, ...), and update_auth_credentials() writes this content to the attacker-controlled path via file_put_contents(). This makes it possible for authenticated attackers, with Administrator-level access and above, to write arbitrary content (including PHP code) to arbitrary file paths on the server, effectively achieving Remote Code Execution.

Explanation of Vulnerability in Simple Terms

02Summary

The HTTP Headers component in zinoui versions up to 1.19.2 contains a vulnerability that allows authenticated administrators to read sensitive data, modify site content, or disrupt service. The flaw stems from improper input validation in header processing. An attacker with high-level administrative privileges can exploit this without user interaction. Sites running affected versions should update immediately.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify content, or disrupt service availability on the site.

Potential impact on your site

04Site Impact

A compromised admin account can read confidential data, alter site content, or cause downtime.

Conditions required to exploit

05Prerequisites

Attacker must have high-level administrative access to the site.

Key dates

06Disclosure timeline

April 22, 2026 CVE published
April 22, 2026 Record updated