WordPress Plugin Vulnerabilities

HTTP Headers < 1.19.0 - Admin+ SSRF

Description

The plugin uses user input in in the wp_remote_head() function, which could allow high privilege users such as admin to perform SSRF attacks

Affects Plugins

Plugin icon
http-headers
Fixed in 1.19.0

References

CVE
CVE-2023-37978

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
emad
Verified
No
WPVDB ID
3fe40fab-2310-4581-b500-fdaf6112695a

Timeline

Publicly Published
2023-07-13 (about 2 years ago)
Added
2023-08-07 (about 2 years ago)
Last Updated
2023-08-07 (about 2 years ago)

Other

Published
Title
Published
2024-04-16
Title
Really Simple SSL < 8.0.0 - Admin+ Server-Side Request Forgery
Published
2025-01-31
Title
Traveler Layout Essential For Elementor < 1.4 - Unauthenticated Server-Side Request Forgery
Published
2025-12-31
Title
WordPress & WooCommerce Scraper Plugin, Import Data from Any WebSite. <= 1.0.7 - Unauthenticated Server-Side Request Forgery
Published
2024-02-28
Title
Friends < 2.8.6 - Authenticated (Admin+) Blind Server-Side Request Forgery
Published
2016-04-12
Title
WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses