Vulnerabilities and security researches forheader-and-footer-scripts header-and-footer-scripts

Jan 28, 2026

CVE, Research URL: CVE-2025-11453
Home page URL: Security reports for Header and Footer Scripts
Application: Header and Footer Scripts
Date: Jan 09, 2026
Research Description: The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.2.2.
Status: vulnerable