Support » Plugin: Plugin Security Scanner » Vulnerability found: WordPress 2.3-4.8.2 – Host Header Injection in Pass Reset

  • Resolved RadCon



    I’ve received this notification for all my sites today: “Vulnerability found: WordPress 2.3-4.8.2 – Host Header Injection in Password Reset”

    But this vulnerability has been fixed with WP 4.8.2, no?

    Best regards,

Viewing 15 replies - 1 through 15 (of 17 total)
  • I came to ask the same.
    I got two “Vulnerability found: WordPress 2.3-4.8.2 – Host Header Injection in Password Reset” warnings. Both are same.
    Should I be worried?
    Plugin does not give any option about what to do?

    Plugin Author Glen Scott


    As far as I can see, this vulnerability exists in the current 4.8.2 version of WordPress and no official patch exists, as yet. Will follow-up if and when I find out more information.

    I came for the same reason. Please, if you find a solution, let us know. Thanks.


    I deactivated the plugin temporarily to avoid receiving daily notifications for this vulnerability from all my sites.

    I’ll reactivate it when this issue is fixed.

    Best regards,

    Plugin Author Glen Scott


    Yes, unfortunately disabling the plugin is the only option at the moment if you want to mute those notifications. Hopefully WordPress will release an updated fixed version soon.



    Any update on a fix for this?

    BTW, shutting off the vulnerability plug-in so you stop getting the alerts is the equivalent killing all power to your smoke alarms. Not a good thing to do. A Fortune 50 co. that I worked for back in the ’90s had a huge DC failure because some workers (present company not included) silenced a physical alarm instead of fixing the issue that was causing the alarm.

    Never mind, found it:

    • This reply was modified 10 months ago by  kkoch3.

    Hello, since 2 weeks I have this error of the WordPress sites that I create. Is it possible to have solution ?

    Vulnerability found: WordPress 2.3-4.8.2 – Host Header Injection in Password Reset

    Thank you

    Is it possible to create an update to set this error please!

    This error has existed for several weeks, come back with a solution or an explanation! Thank you for your help

    Plugin Author Glen Scott


    The vulnerability is genuine. More details can be found here:

    Given that no official fix has been forthcoming from WordPress, I am planning to release an update that will allow you to ignore this error if you have manually fixed the problem on your server.

    Thank you for your patience,


    • This reply was modified 9 months, 2 weeks ago by  Glen Scott.
    Plugin Author Glen Scott


    Version 1.5.1 of the plugin has a new setting that allows you to ignore the “WordPress 2.3-4.8.3 – Host Header Injection in Password Reset” after you have manually verified that your web host is not vulnerable.

    Hi @glen_scott
    Thanks for adding this new option but I can’t find it.
    Where is it? I’ve already updated your plugin.
    Best regards

    Plugin Author Glen Scott


    The setting can be found under Settings -> General (see screenshot)

    Perfect. Many thanks!



    I unchecked the box to opt-out of this detection and upgraded to 4.9. I then ran the scanner and it didn’t detect it. Has this been fixed in 4.9?

    Plugin Author Glen Scott


    It is not currently listed as a vulnerability in 4.9:

    This means that either WordPress has fixed the issue or the vulnerability database has not yet been updated.

Viewing 15 replies - 1 through 15 (of 17 total)
  • You must be logged in to reply to this topic.