WordPress HTTP Headers Plugin Path Traversal Vulnerability Leading to Remote Code Execution

A remote code execution vulnerability exists in the HTTP Headers plugin for WordPress, affecting all versions up to and including 1.19.2. The issue arises from inadequate validation of file paths in the 'hh_htpasswd_path' option and a lack of sanitization for the 'hh_www_authenticate_user' option value. This vulnerability allows authenticated attackers with Administrator-level access to write arbitrary content, including PHP code, to any file path on the server.

Impact

Exploitation of this vulnerability allows for authenticated users with Administrator privileges to execute arbitrary code on the server.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can set an arbitrary file path in the 'hh_htpasswd_path' option without proper validation. The user can then input an unsanitized username in the 'hh_www_authenticate_user' option. When the HTTP Basic Authentication is processed, the plugin will write the specified username into the designated file path, executing any PHP code if the file is interpreted by the server.