Critical security vulnerability | WordPress.org

Resolved bandora
(@bandora)

3 weeks, 1 day ago

Is this plugin still being updated? There is a critical security vulnerability that needs urgent patching https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/http-headers/http-headers-1192-authenticated-administrator-external-control-of-file-name-or-path-to-rce-via-hh-htpasswd-path-and-hh-www-authenticate-user-parameters

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Author Dimitar Ivanov
(@zinoui)

3 weeks, 1 day ago

Yes, update is coming in the next few days.

thomas2026
(@thomas2026)

2 weeks, 4 days ago

Hi @zinoui

I updated to the latest version of your plugin and now all pages appears blank in my WordPress site Dashboard.

thomas2026
(@thomas2026)

2 weeks, 3 days ago

@zinoui

From my logs, this is what I see, which may be useful for you.

PHP Warning: Undefined variable $filename in …/wp-content/plugins/http-headers/http-headers.php on line 1493

PHP Warning: Cannot modify header information – headers already sent by (output started at …/wp-includes/script-loader.php:2428) in …/wp-includes/pluggable.php on line 1531

I am on WordPress 6.9.4 and PHP v8.3.30, Apache web server.
I upgraded your plugin from 1.19.2 to 1.19.4 when the issue happened.

Plugin Author Dimitar Ivanov
(@zinoui)

2 weeks, 3 days ago

@bandora I’ve just release a new version that address the issue. Thanks

Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

4 replies
3 participants
Last reply from: Dimitar Ivanov
Last activity: 2 weeks, 3 days ago
Status: resolved