Report
The HTTP Headers plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 1.18.10 via the 'http_headers_pre_update_option' function. This allows authenticated attackers with administrator-level permissions to write files and execute code on the server. The issue was partially fixed in 1.18.10 but not fully fixed until 1.18.11.
Score:7.2
Severity:High
Version:< 1.18.11
There is a patch available in v1.18.11 and we strongly recommend you update to this version as soon as possible.
