HTTP Headers

Vulnerabilities 8Slug http-headersLatest version 1.19.5WordPress.org →

Minimum safe version

1.19.0

Update to 1.19.0 or later to address 5 fixable vulnerabilities

Latest available1.19.5 ✓⚠ 3 vulnerabilities have no fix

Medium 4.4 Unfixed

2026-04-22≤ 1.19.2

HTTP Headers <= 1.19.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Custom Headers' Plugin Setting

CVE Wordfence Patchstack

Medium 5.5 Unfixed

2026-04-22≤ 1.19.2

HTTP Headers <= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values

CVE Wordfence

High 7.2 Unfixed

2026-04-22≤ 1.19.2

HTTP Headers <= 1.19.2 - Authenticated (Administrator+) External Control of File Name or Path to RCE via 'hh_htpasswd_path' and 'hh_www_authenticate_user' Parameters

CVE Wordfence

Medium 4.4

2023-11-13< 1.19.0

CVE-2023-37978

CVE Patchstack WPScan

N/A

2023-07-13< 1.19.0

HTTP Headers <= 1.18.11 - Server-Side Request Forgery

Wordfence

Medium 5.9

2023-08-05< 1.19.0

CVE-2023-37874

CVE Patchstack Wordfence WPScan

High 7.2

2023-07-10< 1.18.11

CVE-2023-1208

CVE Patchstack Wordfence WPScan

High 7.2

2023-05-15< 1.18.9

CVE-2023-1207

CVE Patchstack Wordfence WPScan