Cross-Site Request Forgery Vulnerability in Insert Headers And Footers Plugin for WordPress
CVE-2025-2111

7.5HIGH

Key Information:

Vendor: WordPress
Status: Insert Headers And Footers
Vendor: CVE Published:; 19 April 2025

What is CVE-2025-2111?

The Insert Headers And Footers plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF), enabling unauthenticated attackers to manipulate site options without proper authorization. This vulnerability arises from inadequate nonce validation in the 'custom_plugin_set_option' function, allowing attackers to send forged requests that could alter settings, such as granting administrative roles for user registration. Exploiting this flaw requires the 'WPBRIGADE_SDK__DEV_MODE' constant to be set to 'true', facilitating unauthorized access to the WordPress site if a site administrator is tricked into initiating an action.

Affected Version(s)

Insert Headers And Footers * <= 3.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-headers-and...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 19, 2025
Vulnerability Reserved
Mar 7, 2025

Credit

Carlos Ferreira