simple solution for CRLF Injection is to sanitise the CRLF characters before passing into the header or to encode the data which will prevent the CRLF sequences entering the header.
Thanks for your elaborate reaction, my friend, and you are so right,
the hacker/defacer just needs some outdated CMS code bugs
and a tiny wormhole to work an automated exploit through to compromise a website.
Then again WordPress and Joomla belong to these favourite flavours of CMS to work a hack through,
(outdated kernel-code, wrong settings, theme and plug-in-code).
Website owners should realy do a scan of their websites