Description

WordPress Plugin HTTP Headers is prone to multiple vulnerabilities, including server-side request forgery and cross-site request forgery vulnerabilities. Exploiting these issues could allow an attacker to make the vulnerable server perform port scanning of hosts in internal or external networks, or to perform certain administrative actions and gain unauthorized access to the affected application. WordPress Plugin HTTP Headers version 1.9.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.9.4 or latest

References

https://www.pluginvulnerabilities.com/2018/01/18/wordpress-plugin-security-review-http-headers/

https://plugins.svn.wordpress.org/http-headers/trunk/README.txt

Related Vulnerabilities

WordPress Plugin Popup Maker-Popup for opt-ins, lead gen, & more Cross-Site Scripting (1.6.4)

WordPress Plugin PopCash.Net Code Integration Tool Cross-Site Scripting (1.0)

WordPress Plugin HashBar-WordPress Notification Bar Cross-Site Scripting (1.3.5)

WordPress Plugin .htaccess Redirect Cross-Site Scripting (0.3.1)

MySQL CVE-2019-2587 Vulnerability (CVE-2019-2587)

Severity

High

Classification

CWE-352 CWE-918 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update