CVE-2025-2111

Name of the Vulnerable Software and Affected Versions Insert Headers And Footers plugin for WordPress versions up to, and including, 3.1.1

Description The issue is due to missing or incorrect nonce validation on the custom plugin set option function, making it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request. This can be leveraged to update the default role for registration to administrator and enable user registration, allowing attackers to gain administrative user access to a vulnerable site. The WPBRIGADE SDK DEV MODE constant must be set to true to exploit the issue.

Recommendations For versions up to, and including, 3.1.1, update to a version that includes the fix for the missing or incorrect nonce validation on the custom plugin set option function. As a temporary workaround, consider disabling the custom plugin set option function until a patch is available. Restrict access to the plugin's settings to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.