CVE-2025-11453
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | header_and_footer_scripts | to 2.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11453 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin "Header and Footer Scripts" version 2.2.2 and earlier. The plugin allows users to insert custom JavaScript and CSS into the header and footer of WordPress sites. However, it does not properly sanitize or escape the user-supplied scripts stored in the _inpost_head_script parameter. This means that authenticated users with Contributor-level access or higher can inject malicious scripts that will execute whenever any user visits the affected page, potentially compromising site security. [2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Contributor-level access or higher to inject arbitrary malicious scripts into WordPress pages. These scripts execute in the browsers of users who visit the infected pages, potentially leading to theft of user credentials, session hijacking, defacement, or distribution of malware. Since the scripts are stored and persist on the site, the impact can be widespread and ongoing until the vulnerability is fixed. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking for the presence of malicious scripts injected via the _inpost_head_script post meta or site-wide options in the Header and Footer Scripts plugin. You can inspect the WordPress database for suspicious content in the post meta table with the meta_key '_inpost_head_script'. For example, using a MySQL command: SELECT post_id, meta_value FROM wp_postmeta WHERE meta_key = '_inpost_head_script' AND meta_value LIKE '%<script>%'; Additionally, reviewing the front-end page source for unexpected scripts in the header or footer sections can help identify exploitation. There are no specific network commands provided. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Header and Footer Scripts plugin to a version later than 2.2.2 where the vulnerability is fixed. If an update is not available, restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with at least Contributor access to exploit. Additionally, review and clean any injected scripts in the _inpost_head_script post meta and site-wide options. Consider disabling the plugin temporarily if possible until a patch is applied. [2]