← Achievements
CVE-2026-2811: Ajaxify Comments Unauthenticated HTTP Header Injection
CVSS
5.4
MEDIUM
TL;DR:
Unauthenticated HTTP Header Injection in the Ajaxify Comments WordPress plugin (< 3.2) due to insufficient input sanitization, allowing attackers to inject arbitrary HTTP headers.
Summary
Discovered an HTTP Header Injection vulnerability in Ajaxify Comments, a WordPress plugin for AJAX-powered comment submission. The plugin is vulnerable due to insufficient input sanitization and output escaping on user-supplied data, allowing unauthenticated attackers to inject arbitrary HTTP headers.
CVE ID: CVE-2026-2811
WPScan: 48250628-9b81-4bef-b623-356ceca01215
CWE: CWE-113 — HTTP Response Splitting
Affected Versions: Ajaxify Comments < 3.2
Fixed in: Ajaxify Comments 3.2
Impact
- HTTP response manipulation — inject arbitrary headers into server responses
- Cache poisoning — manipulate cached responses to serve malicious content to other users
- Session fixation — inject
Set-Cookieheaders to control victim session identifiers - No authentication required — exploitable by any unauthenticated visitor