WP-Safety

GD Security Headers Security & Risk Analysis

wordpress.org/plugins/gd-security-headers

Configure various security-related HTTP headers, including CSP, XSS, Referrer Policy and more.

1K active installs v1.8 PHP 7.4+ WP 5.5+ Updated Jun 7, 2024
content-security-policycspdev4presspermission-policysecurity
91
A · Safe
CVEs total2
Unpatched0
Last CVEOct 29, 2023
Plugin page Download
Safety Verdict

Is GD Security Headers Safe to Use in 2026?

Generally Safe

Score 91/100

GD Security Headers has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Oct 29, 2023Updated 1yr ago
Risk Assessment

The 'gd-security-headers' plugin v1.8 exhibits a mixed security posture. On the positive side, it has a remarkably small attack surface, with no exposed AJAX handlers, REST API routes, shortcodes, or cron events that lack authentication or permission checks. This significantly reduces the opportunities for direct exploitation. Furthermore, the plugin demonstrates good practices in its handling of SQL queries, with a high percentage utilizing prepared statements, and a decent number of nonce and capability checks present in the code.

However, several concerns warrant attention. The presence of the `unserialize` function is a significant red flag, as it's a common vector for remote code execution if used with untrusted input. While the taint analysis did not reveal critical or high severity flows directly related to `unserialize` in this specific analysis, the function itself represents a latent risk. The low percentage of properly escaped output (41%) suggests a potential for Cross-Site Scripting (XSS) vulnerabilities, which could be exploited if certain data is not handled carefully before being displayed to users. The plugin's history of two High/Medium severity vulnerabilities, specifically related to SQL Injection and XSS, indicates a pattern of past security weaknesses that, while currently patched, suggest the code might be prone to such issues.

In conclusion, while the plugin's minimal attack surface is a strong security advantage, the presence of `unserialize` and the historically problematic output escaping and vulnerability types present genuine risks. The past vulnerabilities, though patched, serve as a reminder of potential weaknesses. Continued vigilance in code review and robust testing for the specific use of `unserialize` and all output rendering is recommended.

Key Concerns

  • Dangerous function: unserialize detected
  • Low percentage of properly escaped output (41%)
  • Historical vulnerability pattern (SQLi, XSS)
  • Flows with unsanitized paths (Taint Analysis)
Vulnerabilities
2 published

GD Security Headers Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2023-46821high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

GD Security Headers <= 1.7 - Authenticated (Admin+) SQL Injection

Oct 29, 2023 Patched in 1.7.1 (86d)
CVE-2023-40330medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

GD Security Headers <= 1.6.1 - Reflected Cross-Site Scripting

Aug 17, 2023 Patched in 1.7 (159d)
Version History

GD Security Headers Release Timeline

v1.8Current
v1.7.1
v1.71 CVE
CVE-2023-46821
v1.6.12 CVEs
CVE-2023-40330 CVE-2023-46821
v1.62 CVEs
CVE-2023-40330 CVE-2023-46821
v1.52 CVEs
CVE-2023-40330 CVE-2023-46821
v1.42 CVEs
CVE-2023-40330 CVE-2023-46821
v1.32 CVEs
CVE-2023-40330 CVE-2023-46821
v1.22 CVEs
CVE-2023-40330 CVE-2023-46821
v1.1.12 CVEs
CVE-2023-40330 CVE-2023-46821
v1.12 CVEs
CVE-2023-40330 CVE-2023-46821
v1.02 CVEs
CVE-2023-40330 CVE-2023-46821
Code Analysis
Analyzed Mar 16, 2026

GD Security Headers Code Analysis

Dangerous Functions
1
Raw SQL Queries
6
28 prepared
Unescaped Output
182
128 escaped
Nonce Checks
8
Capability Checks
5
File Operations
17
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

unserialize$this->{$key} = unserialize(serialize($val));d4plib\classes\d4p.base.php:41

SQL Query Safety

82% prepared34 total queries

Output Escaping

41% escaped310 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
wp_redirect_self (d4plib\d4p.wp.php:515)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

GD Security Headers Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 103
actiongdsih_plugin_initcore\admin\plugin.php:15
actionnetwork_admin_menucore\admin\plugin.php:21
filterset-screen-optioncore\admin\plugin.php:23
actionadmin_noticescore\admin\plugin.php:29
actionadmin_noticescore\admin\plugin.php:33
actionload-security-headers_page_gd-security-headers-csp-reportscore\admin\plugin.php:210
actionload-security-headers_page_gd-security-headers-xxp-reportscore\admin\plugin.php:211
filtergdsih_csp_build_basic_rulecore\csp\cdn.php:16
filtergdsih_csp_build_basic_rulecore\csp\gleam.php:23
filtergdsih_csp_build_custom_rules_for_framecore\csp\gleam.php:25
filtergdsih_csp_build_custom_rules_for_scriptcore\csp\gleam.php:26
filtergdsih_csp_build_custom_rules_for_imgcore\csp\gleam.php:27
filtergdsih_csp_build_basic_rulecore\csp\google-adsense.php:152
filtergdsih_csp_build_custom_rules_for_imgcore\csp\google-adsense.php:154
filtergdsih_csp_build_custom_rules_for_framecore\csp\google-adsense.php:155
filtergdsih_csp_build_custom_rules_for_scriptcore\csp\google-adsense.php:156
filtergdsih_csp_build_custom_rules_for_connectcore\csp\google-adsense.php:157
filtergdsih_csp_build_basic_rulecore\csp\google-analytics.php:33
filtergdsih_csp_build_custom_rules_for_scriptcore\csp\google-analytics.php:35
filtergdsih_csp_build_custom_rules_for_connectcore\csp\google-analytics.php:36
filtergdsih_csp_build_custom_rules_for_fontcore\csp\google-analytics.php:37
filtergdsih_csp_build_custom_rules_for_imgcore\csp\google-analytics.php:38
filtergdsih_csp_build_basic_rulecore\csp\google-fonts.php:24
filtergdsih_csp_build_custom_rules_for_stylecore\csp\google-fonts.php:26
filtergdsih_csp_build_custom_rules_for_scriptcore\csp\google-fonts.php:27
filtergdsih_csp_build_custom_rules_for_fontcore\csp\google-fonts.php:28
filtergdsih_csp_build_basic_rulecore\csp\google-maps.php:33
filtergdsih_csp_build_custom_rules_for_stylecore\csp\google-maps.php:35
filtergdsih_csp_build_custom_rules_for_scriptcore\csp\google-maps.php:36
filtergdsih_csp_build_custom_rules_for_framecore\csp\google-maps.php:37
filtergdsih_csp_build_custom_rules_for_connectcore\csp\google-maps.php:38
filtergdsih_csp_build_custom_rules_for_fontcore\csp\google-maps.php:39
filtergdsih_csp_build_custom_rules_for_imgcore\csp\google-maps.php:40
filtergdsih_csp_build_basic_rulecore\csp\google-tag-manager.php:26
filtergdsih_csp_build_custom_rules_for_scriptcore\csp\google-tag-manager.php:28
filtergdsih_csp_build_custom_rules_for_stylecore\csp\google-tag-manager.php:29
filtergdsih_csp_build_custom_rules_for_framecore\csp\google-tag-manager.php:30
filtergdsih_csp_build_custom_rules_for_childcore\csp\google-tag-manager.php:31
filtergdsih_csp_build_custom_rules_for_connectcore\csp\google-tag-manager.php:32
filtergdsih_csp_build_custom_rules_for_fontcore\csp\google-tag-manager.php:33
filtergdsih_csp_build_custom_rules_for_imgcore\csp\google-tag-manager.php:34
filtergdsih_csp_build_basic_rulecore\csp\google-translate.php:31
filtergdsih_csp_build_custom_rules_for_imgcore\csp\google-translate.php:33
filtergdsih_csp_build_custom_rules_for_stylecore\csp\google-translate.php:34
filtergdsih_csp_build_custom_rules_for_scriptcore\csp\google-translate.php:35
filtergdsih_csp_build_custom_rules_for_connectcore\csp\google-translate.php:36
filtergdsih_csp_build_basic_rulecore\csp\google-youtube.php:19
filtergdsih_csp_build_custom_rules_for_imgcore\csp\google-youtube.php:21
filtergdsih_csp_build_custom_rules_for_childcore\csp\google-youtube.php:22
filtergdsih_csp_build_custom_rules_for_framecore\csp\google-youtube.php:23
filtergdsih_csp_build_basic_rulecore\csp\gravatar.php:16
filtergdsih_csp_build_custom_rules_for_imgcore\csp\gravatar.php:18
filtergdsih_csp_build_basic_rulecore\csp\instagram.php:20
filtergdsih_csp_build_custom_rules_for_scriptcore\csp\instagram.php:22
filtergdsih_csp_build_custom_rules_for_framecore\csp\instagram.php:23
filtergdsih_csp_build_basic_rulecore\csp\paypal.php:21
filtergdsih_csp_build_custom_rules_for_scriptcore\csp\paypal.php:23
filtergdsih_csp_build_custom_rules_for_framecore\csp\paypal.php:24
filtergdsih_csp_build_custom_rules_for_childcore\csp\paypal.php:25
filtergdsih_csp_build_custom_rules_for_connectcore\csp\paypal.php:26
filtergdsih_csp_build_custom_rules_for_fontcore\csp\paypal.php:27
filtergdsih_csp_build_custom_rules_for_imgcore\csp\paypal.php:28
filtergdsih_csp_build_basic_rulecore\csp\vimeo.php:31
filtergdsih_csp_build_custom_rules_for_defaultcore\csp\vimeo.php:33
filtergdsih_csp_build_custom_rules_for_connectcore\csp\vimeo.php:34
filtergdsih_csp_build_custom_rules_for_childcore\csp\vimeo.php:35
filtergdsih_csp_build_custom_rules_for_framecore\csp\vimeo.php:36
filtergdsih_csp_build_custom_rules_for_scriptcore\csp\vimeo.php:37
filtergdsih_csp_build_custom_rules_for_stylecore\csp\vimeo.php:38
filtergdsih_csp_build_basic_rulecore\csp\wordpress.php:17
filtergdsih_csp_build_custom_rules_for_imgcore\csp\wordpress.php:19
actiontemplate_redirectcore\objects\core.csp.php:20
filtergdsih_htaccess_build_listcore\objects\core.csp.php:23
filtergdsih_htaccess_build_listcore\objects\core.feature.php:21
filtergdsih_htaccess_build_listcore\objects\core.headers.php:13
actiontemplate_redirectcore\objects\core.xxp.php:16
filtergdsih_htaccess_build_listcore\objects\core.xxp.php:19
actiongdsih_saved_the_settingscore\plugin.php:66
actiongdsih_load_settingscore\settings.php:163
filterhttp_request_argsd4plib\classes\d4p.four.php:91
actionswitch_blogd4plib\core\d4p.wpdb.php:49
filtersanitize_keyd4plib\core\d4p.wpdb.php:83
filterplugin_action_linksd4plib\plugin\d4p.admin-basic.php:49
filterplugin_row_metad4plib\plugin\d4p.admin-basic.php:50
actionadmin_initd4plib\plugin\d4p.admin-basic.php:88
actionadmin_menud4plib\plugin\d4p.admin-basic.php:89
actioncurrent_screend4plib\plugin\d4p.admin-basic.php:91
actionadmin_enqueue_scriptsd4plib\plugin\d4p.admin-basic.php:92
actionadmin_noticesd4plib\plugin\d4p.admin-options.php:78
actionadmin_noticesd4plib\plugin\d4p.admin-options.php:82
actionadmin_initd4plib\plugin\d4p.admin.php:74
actionadmin_initd4plib\plugin\d4p.admin.php:75
actionadmin_menud4plib\plugin\d4p.admin.php:76
actionadd_meta_boxesd4plib\plugin\d4p.admin.php:77
actioncurrent_screend4plib\plugin\d4p.admin.php:79
actionadmin_enqueue_scriptsd4plib\plugin\d4p.admin.php:81
actioncustomize_controls_enqueue_scriptsd4plib\plugin\d4p.customizer.php:45
actioncustomize_registerd4plib\plugin\d4p.customizer.php:46
actionplugins_loadedd4plib\plugin\d4p.plugin.php:45
actionafter_setup_themed4plib\plugin\d4p.plugin.php:46
actionwidgets_initd4plib\plugin\d4p.plugin.php:74
actionwp_enqueue_scriptsd4plib\plugin\d4p.plugin.php:78
actionshortcode_ui_before_do_shortcoded4plib\plugin\d4p.shortcodes.php:83
Maintenance & Trust

GD Security Headers Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedJun 7, 2024
PHP min version7.4
Downloads31K

Community Trust

Rating80/100
Number of ratings8
Active installs1K
Alternatives

GD Security Headers Alternatives

Content Security Policy Manager

Content Security Policy Manager

csp-manager

A
85

Plugin for configuring Content Security Policy headers for your site. Allows different CSP headers for admin, logged inn frontend and regular visitors

2K No CVEs
CSP Friendly Security

CSP Friendly Security

csp-antsst

A
100

Adds a CSP header compatible with most WP plugins without breaking styles.

200 No CVEs
No unsafe-inline

No unsafe-inline

no-unsafe-inline

A
100

No unsafe-inline helps you to build a Content Security Policy avoiding to use 'unsafe-inline' and 'unsafe-hashes'.

200 No CVEs
SeaSP Community Edition

SeaSP Community Edition

sea-sp-community-edition

A
85

SeaSP Community Edition is an automated Content Security Policy Manager. SeaSP allows you to create, configure, manage, and deploy a Content Security &hellip;

20 No CVEs
GDPR Helper using CSP

GDPR Helper using CSP

gdpr-helper

A
85

This plugin allows easy addition of Content Security Policy

10 No CVEs
Developer Profile

GD Security Headers Developer Profile

Milan Petrovic

17 plugins · 12K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
1106 days
View full developer profile
Detection Fingerprints

How We Detect GD Security Headers

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/gd-security-headers/d4plib/css/admin/d4p-admin-grid.css/wp-content/plugins/gd-security-headers/d4plib/css/admin/d4p-admin.css/wp-content/plugins/gd-security-headers/d4plib/css/admin/d4p-admin-table.css/wp-content/plugins/gd-security-headers/d4plib/css/core/d4p-core.css/wp-content/plugins/gd-security-headers/d4plib/js/admin/d4p-admin.js/wp-content/plugins/gd-security-headers/d4plib/js/core/d4p.core.js/wp-content/plugins/gd-security-headers/d4plib/js/core/d4p.datetime.js/wp-content/plugins/gd-security-headers/d4plib/js/core/d4p.scope.js+13 more
Script Paths
/wp-content/plugins/gd-security-headers/d4plib/js/admin/d4p-admin.js/wp-content/plugins/gd-security-headers/d4plib/js/core/d4p.core.js/wp-content/plugins/gd-security-headers/d4plib/js/core/d4p.datetime.js/wp-content/plugins/gd-security-headers/d4plib/js/core/d4p.scope.js/wp-content/plugins/gd-security-headers/d4plib/js/core/d4p.wpdb.js/wp-content/plugins/gd-security-headers/d4plib/js/core/d4p.wp.js+11 more
Version Parameters
gd-security-headers/style.css?ver=gd-security-headers/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
gdsih-overview-wrappergdsih-csp-reports-gridgdsih-xxp-reports-grid
Data Attributes
data-page-iddata-post-id
JS Globals
gdsih_admin_data_gdsih_core_gdsih_settings_gdsih_dbgdsih_scope
FAQ

Frequently Asked Questions about GD Security Headers