CVE-2025-2779: 
WordPress vulnerability analysis and mitigation

The Insert Headers and Footers Code – HT Script plugin for WordPress contains a vulnerability (CVE-2025-2779) due to a missing capability check on the ajax_dismiss function in versions up to and including 1.1.2. The vulnerability was discovered and disclosed on April 1, 2025, affecting WordPress installations with this plugin installed (NVD Database).

The vulnerability stems from a missing capability check in the ajax_dismiss function, which allows authenticated users with Subscriber-level access or higher to perform unauthorized data modifications. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The weakness has been categorized as CWE-862 (Missing Authorization) (NVD Database).

When exploited, this vulnerability allows authenticated attackers to update option values to 1/true on the WordPress site. This can be leveraged to create error conditions that deny access to legitimate users or manipulate certain site settings, such as enabling user registration (NVD Database).

Site administrators running the Insert Headers and Footers Code – HT Script plugin should update to a version newer than 1.1.2 once available. Until then, it is recommended to review and limit user roles with access to the affected functionality (NVD Database).