CVE-2025-12112
📋 TL;DR
This vulnerability allows authenticated WordPress users with Author-level permissions or higher to inject malicious scripts into website pages via the Insert Headers and Footers Code plugin. The injected scripts execute whenever users visit the compromised pages, enabling attackers to steal session cookies, redirect users, or perform other malicious actions. All WordPress sites using this plugin version 1.1.6 or earlier are affected.
💻 Affected Systems
- Insert Headers and Footers Code – HT Script WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over the WordPress site, install backdoors, redirect all visitors to malicious sites, or deploy ransomware notices.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, redirect users to phishing pages, or display unwanted advertisements.
If Mitigated
With proper user access controls and content security policies, impact is limited to defacement or minor script injection affecting only users who visit specific compromised pages.
🎯 Exploit Status
Exploitation requires authenticated access with Author privileges or higher. The vulnerability is simple to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.7
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Insert Headers and Footers Code – HT Script'. 4. Click 'Update Now' if available, or delete and reinstall from WordPress repository. 5. Verify version shows 1.1.7 or higher.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the vulnerable plugin until patched
wp plugin deactivate insert-headers-and-footers-script
wp plugin delete insert-headers-and-footers-script
Restrict user capabilities
allTemporarily remove Author and higher capabilities from untrusted users
wp user meta update [user_id] wp_capabilities 'a:1:{s:10:"subscriber";b:1;}'
🧯 If You Can't Patch
- Disable the Insert Headers and Footers Code plugin immediately
- Implement Content Security Policy headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for 'Insert Headers and Footers Code – HT Script' version 1.1.6 or lowerCheck Version:
wp plugin get insert-headers-and-footers-script --field=versionVerify Fix Applied:
Verify plugin version shows 1.1.7 or higher in WordPress admin plugins page📡 Detection & Monitoring
Log Indicators:
- Unusual plugin file modifications
- Multiple failed login attempts followed by successful Author/Editor login
- POST requests to wp-admin/admin-ajax.php with script injection patterns
Network Indicators:
- Unexpected JavaScript includes in page responses
- External script calls from WordPress pages
SIEM Query:
source="wordpress.log" AND ("insert-headers-and-footers-script" OR "admin-ajax.php") AND (POST OR "script" OR "javascript")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3387037%40insert-headers-and-footers-script&new=3387037%40insert-headers-and-footers-script&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f97ced40-c349-43b4-963f-2a49db4bbd4a?source=cve
