Insert Headers and Footers Code – HT Script < 1.1.3 – Missing Authorization to Authenticated (Subscriber+) Limited Options Update | CVE 2025-2779 | Plugin Vulnerabilities

Description

The Insert Headers and Footers Code – HT Script plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 1/true on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny access to legitimate users or be used to set some values to true, such as registration.

Affects Plugins

insert-headers-and-footers-script

Fixed in 1.1.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/75bc2295-bf9a-430f-92b7-d380eed6df11

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

kr0d

Verified

No

WPVDB ID

f0571dc6-141f-4ebb-ad90-be179dfa4117

Timeline

Publicly Published

2025-04-01 (about 1 year ago)

Added

2025-04-01 (about 1 year ago)

Last Updated

2025-04-02 (about 1 year ago)

Other

Published

Title

Published

2024-10-10

Title

Linkz.ai < 1.2.0 - Subscriber+ Plugin Settings Update

Published

2025-01-15

Title

Ksher < 1.1.3 - Missing Authorization

Published

2024-08-07

Title

Robin image optimizer < 1.7.0 - Missing Authorization

Published

2025-03-21

Title

ProfileGrid – User Profiles, Groups and Communities < 5.9.4.5 - Missing Authorinzation to Authenticated (Subscriber+) Join Group Requests Management

Published

2024-04-08

Title

5 star review funnel for Google Reviews, Trustpilot, ProvenExpert and more | RRatingg < 1.3.02 - Missing Authorization