CVE-2025-2779 MEDIUM

CVE-2025-2779: Insert Headers and Footers Code – HT Script <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update

Vendor Htplugins
Product Insert Headers and Footers Code – HT Script
Weakness CWE-862 · Missing authorization
Published April 2, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

The Insert Headers and Footers Code – HT Script plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 1/true on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny access to legitimate users or be used to set some values to true, such as registration.

Key dates

02Disclosure timeline

April 2, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-1663 Missing Authorization in GitLab CVE-2025-67973 WordPress Sunshine Photo Cart plugin <= 3.5.6.2 - Broken Access Control vulnerability CVE-2025-12783 Premmerce Brands for WooCommerce <= 1.2.13 - Missing Authorization To Authenticated (Subscriber+) Brand Permalink Settings Update CVE-2025-47580 WordPress Front End Users plugin <= 3.2.35 - Broken Access Control vulnerability CVE-2026-25372 WordPress Academy LMS plugin <= 3.5.3 - Broken Access Control vulnerability