CVE-2025-12109 is a stored cross-site scripting (XSS) vulnerability identified in the WordPress plugin 'Header Footer Script Adder – Insert Code in Header, Body & Footer' developed by mahethekiller. This plugin allows users to insert custom code snippets into the header, body, or footer sections of WordPress pages. The vulnerability exists due to insufficient input sanitization and output escaping in the script adder functionality, which processes code inserted into posts. Authenticated attackers with Contributor-level permissions or higher can exploit this flaw by injecting malicious JavaScript payloads into posts or pages. These scripts are stored persistently and executed in the browsers of any users who visit the compromised pages, enabling attacks such as session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability affects all plugin versions up to and including 2.0.5. The CVSS 3.1 base score is 6.4, indicating a medium severity level, with an attack vector of network (remote), low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No public exploits have been reported to date. The vulnerability was reserved on October 23, 2025, and published on December 13, 2025. Due to the widespread use of WordPress and the plugin’s functionality, this vulnerability poses a significant risk to websites that have not applied patches or mitigations.

The primary impact of CVE-2025-12109 is the compromise of confidentiality and integrity for websites using the affected plugin. An attacker with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and site defacement. While availability is not directly affected, the reputational damage and loss of user trust can be significant. Since Contributor-level access is relatively low privilege, this vulnerability lowers the barrier for attackers to escalate their impact. Organizations running WordPress sites with this plugin are at risk of targeted attacks, especially if they allow multiple contributors or have weak internal controls. The vulnerability can also be leveraged as a foothold for further attacks within the network or to distribute malware to site visitors. The lack of known public exploits currently limits widespread exploitation, but the vulnerability’s characteristics make it a likely candidate for future attacks.

To mitigate CVE-2025-12109, organizations should immediately update the 'Header Footer Script Adder – Insert Code in Header, Body & Footer' plugin to a patched version once available. Until a patch is released, restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting this plugin’s input fields. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. Conduct regular code reviews and sanitize all user inputs rigorously, especially in plugins that allow code insertion. Monitor site content for unexpected script injections and audit user activities for suspicious behavior. Educate content contributors about the risks of injecting untrusted code. Finally, consider disabling or replacing the plugin if it is not essential or if no timely patch is available.