Does HTTP Headers have any unpatched vulnerabilities?

No. All known vulnerabilities in HTTP Headers have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is HTTP Headers compatible with WordPress 6.7.5?

According to WordPress.org data, HTTP Headers 1.19.2 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is HTTP Headers compatible with PHP 5.3+?

HTTP Headers requires PHP 5.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is HTTP Headers updated?

HTTP Headers was last updated on Dec 22, 2024. Frequent updates are generally a positive security signal.

What is HTTP Headers's security score?

HTTP Headers has a WP-Safety security score of 91/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

HTTP Headers Security & Risk Analysis

wordpress.org/plugins/http-headers

HTTP Headers adds CORS & security HTTP headers to your website.

50K active installs v1.19.2 PHP 5.3+ WP 3.2+ Updated Dec 22, 2024

cors-headerscsp-headercustom-headershttp-headerssecurity-headers

A · Safe

CVEs total4

Unpatched0

Last CVEJul 13, 2023

Plugin page Download

Safety Verdict

Is HTTP Headers Safe to Use in 2026?

Generally Safe

Score 91/100

HTTP Headers has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jul 13, 2023Updated 1yr ago

Risk Assessment

The 'http-headers' plugin exhibits a mixed security posture. While it demonstrates good practices by having no unprotected entry points, all SQL queries use prepared statements, and a significant number of nonce and capability checks are implemented, there are significant concerns regarding output escaping and historical vulnerability patterns. The static analysis reveals that only 18% of outputs are properly escaped, leaving a substantial portion vulnerable to cross-site scripting (XSS) attacks. Furthermore, two out of three analyzed taint flows involve unsanitized paths, indicating potential vulnerabilities that could be exploited if they lead to sensitive operations. The plugin's history of four medium-severity vulnerabilities, including SSRF, XSS, Code Injection, and SQL Injection, is a major red flag. Although none are currently unpatched, the recurring nature of these severe vulnerability types suggests underlying architectural weaknesses or persistent coding errors that could resurface or manifest in new forms. The plugin's strengths lie in its controlled attack surface and secure database interactions, but the weak output sanitization and historical vulnerability profile necessitate caution.

Key Concerns

Low percentage of properly escaped output
Taint flows with unsanitized paths detected
History of medium severity vulnerabilities (4 total)
Common vulnerability types include XSS, Code Injection, SQLi, SSRF

Vulnerabilities

HTTP Headers Security Vulnerabilities

CVEs by Year

4 CVEs in 2023

2023

Patched Has unpatched

Severity Breakdown

Medium

4 total CVEs

CVE-2023-37978medium · 5.5Server-Side Request Forgery (SSRF)

HTTP Headers <= 1.18.11 - Server-Side Request Forgery

Jul 13, 2023 Patched in 1.19.0 (194d)

CVE-2023-37874medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HTTP Headers <= 1.18.11 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jul 10, 2023 Patched in 1.19.0 (197d)

CVE-2023-1208medium · 6.6Improper Control of Generation of Code ('Code Injection')

HTTP Headers <= 1.18.10 - Authenticated(Administrator+) Remote Code Execution

Jun 19, 2023 Patched in 1.18.11 (218d)

CVE-2023-1207medium · 6.6Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

HTTP Headers <= 1.18.8 - Authenticated(Administrator+) SQL Injection

Apr 24, 2023 Patched in 1.18.9 (274d)

Code Analysis

Analyzed Mar 16, 2026

HTTP Headers Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

312

68 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

18% escaped380 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths

http_headers (http-headers.php:608)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

HTTP Headers Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_inspecthttp-headers.php:1613

WordPress Hooks 10

actionwp_logouthttp-headers.php:1602

actionadmin_menuhttp-headers.php:1605

actionadmin_inithttp-headers.php:1606

filterpre_update_optionhttp-headers.php:1607

actionadded_optionhttp-headers.php:1608

actionupdated_optionhttp-headers.php:1609

actionadmin_enqueue_scriptshttp-headers.php:1610

actionafter_setup_themehttp-headers.php:1611

actionplugins_loadedhttp-headers.php:1612

actionsend_headershttp-headers.php:1616

Maintenance & Trust

HTTP Headers Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedDec 22, 2024

PHP min version5.3

Downloads716K

Community Trust

Rating86/100

Number of ratings70

Active installs50K

Alternatives

HTTP Headers Alternatives

Strict Security Headers

strict-security-headers

100

Easily enable modern security headers for your website with the Strict Security Headers plugin, with no configuration required.

10 No CVEs

Content Security Policy Manager

csp-manager

Plugin for configuring Content Security Policy headers for your site. Allows different CSP headers for admin, logged inn frontend and regular visitors

2K No CVEs

GNU Terry Pratchett

gnu-terry-pratchett

100

Add an X-Clacks-Overhead header with “GNU Terry Pratchett” to all non-admin pages.

1K No CVEs

HTTP Security Header

security-header

100

Add and manage essential HTTP security headers with ease. Protect your WordPress site from XSS, clickjacking, and other common vulnerabilities.

800 No CVEs

Security Headers

firstpage-sg-security-headers

Security headers are directives used by web applications to configure security defenses.

700 No CVEs

Developer Profile

HTTP Headers Developer Profile

Dimitar Ivanov

1 plugin · 50K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

221 days

View full developer profile

Detection Fingerprints

How We Detect HTTP Headers

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/http-headers/css/admin.css/wp-content/plugins/http-headers/css/front.css/wp-content/plugins/http-headers/js/admin.js/wp-content/plugins/http-headers/js/front.js

Script Paths

/wp-content/plugins/http-headers/js/admin.js/wp-content/plugins/http-headers/js/front.js

Version Parameters

http-headers/css/admin.css?ver=http-headers/css/front.css?ver=http-headers/js/admin.js?ver=http-headers/js/front.js?ver=

HTML / DOM Fingerprints

CSS Classes

http-headers-menu

HTML Comments

Data Attributes

data-hh-nonce

JS Globals

httpHeaders

REST Endpoints

/wp-json/http-headers/v1/settings

FAQ