Header and Footer Scripts < 2.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-11453 | Plugin Vulnerabilities

Description

The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

header-and-footer-scripts

Fixed in 2.4.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d658e087-8cc7-4653-af3c-407b6f73fb7b

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Powpy

Verified

No

WPVDB ID

faae8595-2f91-45f6-8022-e5db674324bb

Timeline

Publicly Published

2026-01-08 (about 4 months ago)

Added

2026-01-08 (about 4 months ago)

Last Updated

2026-01-23 (about 4 months ago)

Other

Published

Title

Published

2025-12-11

Title

WPLG Default Mail From <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

Published

2025-04-09

Title

MapSVG Lite < 8.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-04-01

Title

Weaver Show Posts < 1.7 - Contributor+ Stored Cross-Site Scripting

Published

2023-11-29

Title

Responsive Lightbox < 2.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via name

Published

2021-04-07

Title

OpenID Connect Generic Client 3.8.0-3.8.1 - Reflected Cross Site Scripting (XSS) via Login Error