Description
The Header Footer Script Adder – Insert Code in Header, Body & Footer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the script adder present in posts in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-13
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Update Plugin
AI Analysis

Impact

The Header Footer Script Adder plugin allows contributors or higher‑level users to add scripts through its post editor; the plugin does not sanitize this input or escape the output, so malicious JavaScript can be stored in the post content and will run in the browser of any user who views the post. This stored Cross‑Site Scripting flaw can enable attackers to run arbitrary client‑side code on the site’s front‑end, potentially impacting user sessions or delivering malicious payloads.

Affected Systems

WordPress sites that install the Header Footer Script Adder plugin version 2.0.5 or earlier are affected. Any installation where a user with Contributor or higher rights can edit posts is vulnerable because the plugin does not restrict script input.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity issue. The EPSS score of less than 1% points to a low exploitation probability at present, and the vulnerability is not listed in CISA’s KEV catalog. An attacker must be authenticated with Contributor or higher privileges to insert the malicious code; after the script is stored, any visitor to the affected page will execute the code in their browser. The exploit does not require additional privileges beyond the specified role and could be used to redirect users or inject harmful content.

Generated by OpenCVE AI on April 21, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a recent release of the Header Footer Script Adder plugin that removes the input validation flaw; if an update beyond 2.0.5 is unavailable, deactivate or uninstall the plugin entirely to eliminate the vulnerability.
  • Audit the site’s posts and custom fields for any embedded JavaScript that may have been stored before the plugin was removed or updated, and delete any malicious code found.
  • Configure WordPress or a security plugin to enforce strict content sanitization for all user‑generated content, especially removing <script> tags from posts, to mitigate future injection risks.

Generated by OpenCVE AI on April 21, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Header Footer Script Adder – Insert Code in Header, Body & Footer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the script adder present in posts in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Header Footer Script Adder – Insert Code in Header, Body & Footer <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:20.433Z

Reserved: 2025-10-23T13:46:20.322Z

Link: CVE-2025-12109

cve-icon Vulnrichment

Updated: 2025-12-15T15:43:07.817Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:46.220

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses