ClassicPress PetitionsClassicPress Petitions
This is a read-only archive. Post or comment on the live version of this page on our forums.

Host Header Notification Email

December 10, 2018 · 14:08 · W.V. Pelyn T. Palarao
Description

Fix “From”, “Name”, and “Return-Path” headers for all WP notification emails since this is a long-standing WP security vulnerability.

Voters
Discussion
Daniel Hendricks

Agree, this functionality should be in core: https://wordpress.org/plugins/host-header-injection-fix/

(not my plugin/no affiliation; noted for reference)

invisnet

A quick read suggests that the root problem is that the web server doesn't handle $_SERVER['SERVER_NAME'] correctly.

Is there more to it than that?

If not, I'd suggest a better solution is to flag this during install/upgrade so that the actual problem can be fixed, and point people towards a suitable plugin if they can't/won't fix the real problem.