VYPR

HTTP Headers

by WordPress

Source repositories

CVEs (7)

  • CVE-2026-4132HigApr 22, 2026
    risk 0.47cvss 7.2epss 0.01

    The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading to Remote Code Execution in all versions up to and including 1.19.2. This is due to insufficient validation of the file path stored in the 'hh_htpasswd_path' option and lack of…

  • CVE-2026-2717MedApr 22, 2026
    risk 0.36cvss 5.5epss 0.00

    The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This…

  • CVE-2026-1379MedApr 22, 2026
    risk 0.29cvss 4.4epss 0.00

    The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…

  • CVE-2023-37978MedNov 13, 2023
    risk 0.29cvss 4.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Dimitar Ivanov HTTP Headers.This issue affects HTTP Headers: from n/a through 1.18.11.

  • CVE-2023-37874Aug 5, 2023
    risk 0.00cvss epss 0.00

    Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Dimitar Ivanov HTTP Headers plugin <= 1.18.11 versions.

  • CVE-2023-1208Jul 10, 2023
    risk 0.00cvss epss 0.01

    This HTTP Headers WordPress plugin before 1.18.11 allows arbitrary data to be written to arbitrary files, leading to a Remote Code Execution vulnerability.

  • CVE-2023-1207May 15, 2023
    risk 0.00cvss epss 0.01

    This HTTP Headers WordPress plugin before 1.18.8 has an import functionality which executes arbitrary SQL on the server, leading to an SQL Injection vulnerability.