Host Header Injection Fix Wordpress Plugin - Rating, Reviews, Demo & Download

Host Header Injection Fix Preview Wordpress Plugin - Rating, Reviews, Demo & Download
No ratings yet
Follow for free plugins, new theme releases and theme news

Plugin Description

Brand new plugin with all-new shiny code fresh from the WP API!

This plugin enables you to choose the “From”, “Name”, and “Return-Path” headers for WP notification emails. In doing so, it fixes a long-standing security vulnerability.

“Set it and forget it” security fix

This simple plugin does two things:

  1. Sets custom From, Name, and Return-Path for WP notifications
  2. Fixes a security vulnerability in sending WP notifications

Choose from the following options:

  • Disable fix and let WordPress decide
  • Use “Email Address” from WP General Settings
  • Use a custom name and address

Plus there is an option to use the specified From address as the Return-Path header.


The security issue fixed by this plugin has been known about since way back in WordPress version 2.3. There has been some talk about fixing, but nothing has been implemented. While the issue does not affect all sites, it does affect a good percentage of them, including some of my own projects. So, not wanting to get hacked, I decided to write my own solution. Hopefully this issue gets fixed in a future version of WordPress, and this plugin will become unnecessary.

As a bonus, setting an explicit From address resolves a long-standing bug whereby an invalid email address is generated under the following conditions:

  • A “From” address is not set,
  • And the $_SERVER['SERVER_NAME'] is empty

So by explicitly setting a “From” address, we prevent this bug from happening.

Security Issue

What is the security issue addressed by this plugin? Follows is a quick summary. To learn more in-depth, check out the resources linked in the next section.

  • WP uses $_SERVER['SERVER_NAME'] to set the “From” header in notifications
  • This includes sensitive emails like password resets and user registration
  • In some cases, an attacker could modify the “From” header and intercept the email
  • Using the intercepted email, an attacker could gain access to your site

More Infos

This security vulnerability is well-known and has been around for a looong time. To learn more, check out these articles:

  • [](WP Core Trac Ticket)
  • [](WP Vulnerability Database)
  • [](Exploit Box Info)
  • [](Even more infos)

Support development of this plugin

I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a cash donation, bitcoin donation, or purchase one of my books:

And/or purchase one of my premium WordPress plugins:

  • BBQ Pro – Pro version of Block Bad Queries
  • Blackhole Pro – Pro version of Blackhole for Bad Bots
  • SES Pro – Super-simple & flexible email signup forms
  • USP Pro – Pro version of User Submitted Posts

Links, tweets and likes also appreciated. Thank you! 🙂


Reviews & Comments