CVE-2025-2111: 
WordPress vulnerability analysis and mitigation

The Insert Headers And Footers plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 3.1.1. This vulnerability was discovered on April 19, 2025, and is tracked as CVE-2025-2111. The issue affects the WordPress plugin's debug mode functionality (NVD).

The vulnerability stems from missing or incorrect nonce validation in the 'custom_plugin_set_option' function. The CVSS v3.1 score is 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is only exploitable when the 'WPBRIGADE_SDK__DEV_MODE' constant is set to 'true' (NVD, WordPress Plugin).

A successful exploit could allow unauthenticated attackers to update arbitrary options on the WordPress site via a forged request. This can be leveraged to update the default role for registration to administrator and enable user registration, potentially granting attackers administrative user access to vulnerable sites (NVD).

The vulnerability has been patched in version 3.1.2, released on April 18, 2025. The update includes a security fix to sanitize option values from debug mode. Users are advised to update to this version immediately (WordPress Plugin).