CVE-2026-2305

Name of the Vulnerable Software and Affected Versions AddFunc Head & Footer Code plugin for WordPress versions prior to 2.3

Description The AddFunc Head & Footer Code plugin for WordPress is susceptible to Stored Cross-Site Scripting through the aFhfc head code, aFhfc body code, and aFhfc footer code post meta values. This occurs because the plugin outputs these meta values without proper sanitization or escaping. Although the plugin limits access to its metabox and save handler to administrators using current user can('manage options'), it does not employ register meta() with an auth callback to safeguard these meta keys. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts through the WordPress Custom Fields interface, which will execute when an administrator previews or views the post.

Recommendations For versions prior to 2.3, update to a newer version that contains a fix for this vulnerability.