WP-Safety

Head, Footer and Post Injections Security & Risk Analysis

wordpress.org/plugins/header-footer

Head and Footer plugin lets you to add HTML code to the head and footer sections of your site pages, inside posts... and more!

300K active installs v3.3.3 PHP 7.0+ WP 6.1+ Updated Feb 3, 2026
adsampanalyticsfooterheader
99
A · Safe
CVEs total1
Unpatched0
Last CVEFeb 20, 2025
Plugin page Download
Safety Verdict

Is Head, Footer and Post Injections Safe to Use in 2026?

Generally Safe

Score 99/100

Head, Footer and Post Injections has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 20, 2025Updated 2mo ago
Risk Assessment

The "header-footer" plugin v3.3.3 exhibits a generally strong security posture based on the static analysis. The absence of direct entry points like AJAX handlers, REST API routes, shortcodes, and cron events significantly limits the attack surface. Code signals also indicate good practices, with all SQL queries utilizing prepared statements, a high percentage of output properly escaped, and the presence of nonce and capability checks. The taint analysis shows no unsanitized paths, further reinforcing the impression of secure coding. The plugin's history of a single medium-severity CVE, which is now patched, suggests a responsible approach to security over time. However, the existence of any past vulnerability, even if resolved, warrants ongoing vigilance. The plugin has demonstrated good security practices in its current version but historical issues suggest it is not entirely immune to vulnerabilities.

Key Concerns

  • Medium severity vulnerability found historically
  • Past vulnerability of Code Injection type
Vulnerabilities
1

Head, Footer and Post Injections Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2024-13900medium · 4.1Improper Control of Generation of Code ('Code Injection')

Head, Footer and Post Injections <= 3.3.0 - Authenticated (Administrator+) PHP Code Injection in Multisite Environments

Feb 20, 2025 Patched in 3.3.1 (1d)
Code Analysis
Analyzed Mar 16, 2026

Head, Footer and Post Injections Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
1
50 escaped
Nonce Checks
3
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

98% escaped51 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<options> (admin\options.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Head, Footer and Post Injections Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 16
actionadmin_initadmin\admin.php:5
actionadmin_menuadmin\admin.php:19
actionadmin_enqueue_scriptsadmin\admin.php:26
actionadd_meta_boxesadmin\admin.php:35
actionsave_postadmin\admin.php:39
filterstyle_loader_tagplugin.php:50
actiontemplate_redirectplugin.php:79
actionwp_headplugin.php:127
actionwp_headplugin.php:153
actionamp_post_template_headplugin.php:163
actionamp_post_template_cssplugin.php:167
actionamp_post_template_body_openplugin.php:171
actionamp_post_template_footerplugin.php:175
actionwp_footerplugin.php:179
actionthe_contentplugin.php:191
actionthe_excerptplugin.php:312
Maintenance & Trust

Head, Footer and Post Injections Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 3, 2026
PHP min version7.0
Downloads5.5M

Community Trust

Rating98/100
Number of ratings734
Active installs300K
Alternatives

Head, Footer and Post Injections Alternatives

Insert Headers And Footers

Insert Headers And Footers

wp-headers-and-footers

A
98

Include inline javascript, stylesheets, CSS code or anything you want in Header and Footer areas of your WordPress with ease.

300K 1 CVE
NinjaTeam Header Footer Custom Code

NinjaTeam Header Footer Custom Code

header-footer-code

A
99

Help you easy to insert CSS and JavaScript codes to or before .

200 2 CVEs
In Page Script

In Page Script

in-page-script

A
85

This plugin helps to add scripts into the header (before close tag </HEAD>) or the footer (before close tag </BODY>).

100 No CVEs
KP Tracking Code

KP Tracking Code

its-tracking-code

A
92

This plugin used to add tracking code to header & footer section.

100 No CVEs
Site Kit by Google – Analytics, Search Console, AdSense, Speed

Site Kit by Google – Analytics, Search Console, AdSense, Speed

google-site-kit

A
100

Site Kit is a one-stop solution for WordPress users to use everything Google has to offer to make them successful on the web.

5.0M 1 CVE
Developer Profile

Head, Footer and Post Injections Developer Profile

Stefano Lissa

14 plugins · 515K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
650 days
View full developer profile
Detection Fingerprints

How We Detect Head, Footer and Post Injections

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/header-footer/admin/css/admin.css
Script Paths
/wp-content/plugins/header-footer/admin/js/admin.js
Version Parameters
header-footer/admin/css/admin.css?ver=header-footer/admin/js/admin.js?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- Made with love by Stefano Lissa https://www.satollo.net --><!-- START: Head, Footer and Post Injections --><!-- END: Head, Footer and Post Injections --><!-- START: AMP Head, Footer and Post Injections -->+7 more
Data Attributes
data-hefo-typedata-hefo-id
JS Globals
window.hefo_optionswindow.hefo_is_mobile
FAQ

Frequently Asked Questions about Head, Footer and Post Injections