WordPress Plugin Vulnerabilities

HTTP Headers < 1.18.11 - Admin+ Remote Code Execution

Description

This plugin allows arbitrary data to be written to arbitrary files, leading to a Remote Code Execution vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
http-headers
Fixed in 1.18.11

References

CVE
CVE-2023-1208

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
qerogram(at Kakao Style Corp.)
Submitter
qerogram(at Kakao Style Corp.)
Submitter website
https://github.com/qerogram
Verified
Yes
WPVDB ID
e0cc6740-866a-4a81-a93d-ff486b79b7f7

Timeline

Publicly Published
2023-06-19 (about 2 years ago)
Added
2023-06-19 (about 2 years ago)
Last Updated
2023-06-19 (about 2 years ago)

Other

Published
Title
Published
2021-05-26
Title
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Arbitrary Plugin Installation
Published
2021-10-20
Title
Responsive Image Slider, Photo Gallery And Carousel < 1.3.6 - Subscriber+ Arbitrary Post Access
Published
2021-04-14
Title
BuddyPress < 7.3.0 - Multiple Authenticated REST API Vulnerabilities
Published
2025-11-14
Title
Qi Blocks < 1.4.4 - Missing Authorization to Arbitrary Attachment Resize
Published
2019-07-10
Title
WP-GraphQL < 0.3.5 - Improper Access Control