WordPress HTTP Headers Plugin CRLF Injection Vulnerability

A CRLF injection vulnerability has been identified in the HTTP Headers plugin for WordPress, affecting all versions up to and including 1.19.2. The vulnerability arises from inadequate sanitization of custom header names and values before they are written to the Apache .htaccess file using the 'insert_with_markers()' function. This flaw allows authenticated attackers with Administrator-level access to inject arbitrary newline characters and additional Apache directives into the .htaccess configuration. The result can be Apache configuration parse errors and a potential site-wide denial of service.

Impact

Exploitation of this vulnerability can lead to CRLF injection, allowing for the injection of newline characters and additional directives into the Apache .htaccess file. This can cause Apache to misinterpret the configuration, leading to parse errors and a denial of service for the site.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator-level access can navigate to the 'Custom Headers' settings of the HTTP Headers plugin. There, they can enter a custom header name and value that include newline characters and additional Apache directives. Once saved, the injected content will be written to the .htaccess file, causing a configuration parse error on the server.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.