{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-4132/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-4132"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","rce","plugin","cve-2026-4132"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe HTTP Headers plugin for WordPress, versions up to and including 1.19.2, is vulnerable to remote code execution (RCE) due to a file path manipulation vulnerability (CVE-2026-4132). This vulnerability stems from the plugin\u0026rsquo;s insufficient validation of the \u0026lsquo;hh_htpasswd_path\u0026rsquo; option, which controls the location of the .htpasswd file. Furthermore, the \u0026lsquo;hh_www_authenticate_user\u0026rsquo; option, used for setting the username for HTTP Basic Authentication, lacks proper sanitization. This allows attackers with administrator privileges to specify an arbitrary file path for the htpasswd file and inject unsanitized content into it. By crafting a malicious username containing PHP code and setting the htpasswd path to a web-accessible directory, an attacker can execute arbitrary code on the server. This exploit requires administrator-level access to the WordPress dashboard.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the WordPress dashboard with administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the HTTP Headers plugin settings page.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u0026lsquo;hh_htpasswd_path\u0026rsquo; option, setting it to a web-accessible directory (e.g., \u003ccode\u003e/var/www/html/wp-content/uploads/.shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u0026lsquo;hh_www_authenticate_user\u0026rsquo; option, injecting PHP code into the username field (e.g., \u003ccode\u003e\u0026lt;?php system($_GET['cmd']); ?\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eapache_auth_credentials()\u003c/code\u003e function uses sprintf to combine the malicious username with a SHA hash, creating a crafted htpasswd entry.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eupdate_auth_credentials()\u003c/code\u003e function then writes the crafted content, including the injected PHP code, to the attacker-controlled file path using \u003ccode\u003efile_put_contents()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the newly created PHP file via a web browser (e.g., \u003ccode\u003ehttp://example.com/wp-content/uploads/.shell.php?cmd=id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe injected PHP code executes, allowing the attacker to run arbitrary commands on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants the attacker remote code execution on the affected WordPress server. This can lead to complete compromise of the server, including data theft, website defacement, malware deployment, and further attacks against internal networks. Given the widespread use of WordPress and its plugins, a successful exploit could impact a large number of websites and organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the HTTP Headers plugin to a patched version (if available) to remediate CVE-2026-4132.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to unusual file paths that match the \u0026lsquo;hh_htpasswd_path\u0026rsquo; setting specified in the plugin configuration to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule to detect file creation events in web-accessible directories with PHP extensions that are triggered by the web server process.\u003c/li\u003e\n\u003cli\u003eRestrict access to the WordPress administrator dashboard to only trusted individuals and enforce strong password policies to prevent unauthorized access to plugin settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T09:16:24Z","date_published":"2026-04-22T09:16:24Z","id":"/briefs/2026-04-wordpress-http-headers-rce/","summary":"The HTTP Headers WordPress plugin is vulnerable to remote code execution (RCE) due to insufficient validation of the htpasswd file path and lack of sanitization of the username, allowing authenticated administrators to write arbitrary code to the server.","title":"WordPress HTTP Headers Plugin Remote Code Execution via File Path Manipulation (CVE-2026-4132)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-http-headers-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-4132","version":"https://jsonfeed.org/version/1.1"}