CVE-2025-12112 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Insert Headers and Footers Code – HT Script WordPress plugin. This plugin allows administrators to insert custom code snippets into the header and footer sections of a WordPress site. The vulnerability arises from insufficient capability checks that permit authenticated users with Author-level access or higher to inject arbitrary JavaScript code into pages. Since the injected scripts are stored persistently, they execute every time a user visits the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 1.1.6. The CVSS 3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (Author-level), no user interaction, and a scope change. Although no public exploits are currently known, the vulnerability poses a significant risk because Author-level users are common in WordPress environments, and the impact includes confidentiality and integrity loss. The vulnerability was reserved on October 23, 2025, and published on November 8, 2025. No patches or updates are currently linked, indicating that users must take interim mitigation steps.

The primary impact of this vulnerability is the potential for attackers with Author-level access to inject malicious scripts that execute in the context of other users visiting the compromised pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and site defacement. Because the vulnerability affects a widely used WordPress plugin, many websites could be at risk, especially those that allow multiple authors or contributors. The compromise of user accounts or site integrity can damage organizational reputation, lead to data breaches, and cause operational disruptions. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, increasing the risk. Although exploitation requires authenticated access, Author-level permissions are often granted to trusted users, making insider threats or compromised accounts a realistic attack vector. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once details become public.

Organizations should immediately review user roles and permissions to ensure that only trusted users have Author-level or higher access. Implement strict access controls and monitor for unusual activity from users with elevated privileges. Since no official patch is currently available, consider temporarily disabling or removing the Insert Headers and Footers Code – HT Script plugin if feasible. Alternatively, restrict the plugin’s usage to only administrators or trusted users by modifying capability checks or using security plugins that enforce role-based restrictions. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting this plugin. Regularly audit site content for unauthorized script injections and monitor logs for signs of exploitation attempts. Stay updated with the plugin vendor’s announcements for patches or updates addressing this vulnerability. Additionally, educate site administrators and authors about the risks of injecting untrusted code and enforce content validation policies.