WP-Safety

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager Security & Risk Analysis

wordpress.org/plugins/insert-headers-and-footers

Easily add code snippets in WordPress. Insert header & footer scripts, add PHP code snippets with conditional logic, insert ads pixel code, and more.

3.0M active installs v2.3.4 PHP 7.0+ WP 5.0+ Updated Feb 12, 2026
codecode-snippetscssheaderphp
99
A · Safe
CVEs total3
Unpatched0
Last CVEJul 17, 2023
Plugin page Download
Safety Verdict

Is WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager Safe to Use in 2026?

Generally Safe

Score 99/100

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Jul 17, 2023Updated 1mo ago
Risk Assessment

The 'insert-headers-and-footers' plugin v2.3.4 presents a mixed security posture. The plugin demonstrates good practices with a high percentage of properly escaped output and a substantial number of nonce and capability checks, indicating developers are aware of common WordPress security measures. The absence of dangerous functions and critical or high-severity taint analysis findings are also positive signs. However, the presence of one AJAX handler without authentication checks is a significant concern, creating a potential attack vector. While there are no currently unpatched CVEs, the history of three medium-severity vulnerabilities, specifically Cross-Site Scripting, CSRF, and Missing Authorization, suggests a pattern of past security weaknesses that require vigilance.

Despite the overall good code signals regarding output escaping and checks, the single unprotected AJAX endpoint represents a clear and present risk that could be exploited for unauthorized actions or information disclosure if that endpoint handles user-supplied data. The vulnerability history, though all patched, highlights that the plugin has been susceptible to common web vulnerabilities. This, combined with the unprotected entry point, necessitates careful monitoring and prompt updates for any future releases. The plugin has strengths in its general coding practices but needs to address the specific authentication gap in its AJAX handlers.

Key Concerns

  • Unprotected AJAX handler
  • Past medium severity vulnerabilities
Vulnerabilities
3

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager Security Vulnerabilities

CVEs by Year

3 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2023-3524medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPCode <= 2.0.13 - Unauthenticated Reflected Cross-Site Scripting via Tag Filter Links

Jul 17, 2023 Patched in 2.0.13.1 (190d)
CVE-2023-1624medium · 4.7Cross-Site Request Forgery (CSRF)

WPCode <= 2.0.8 - Cross-Site Request Forgery

Apr 3, 2023 Patched in 2.0.9 (295d)
CVE-2023-0328medium · 5.4Missing Authorization

WPCode <= 2.0.6 - Missing Authorization to Sensitive Key Disclosure/Update

Feb 9, 2023 Patched in 2.0.7 (348d)
Code Analysis
Analyzed Mar 16, 2026

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager Code Analysis

Dangerous Functions
0
Raw SQL Queries
13
8 prepared
Unescaped Output
46
897 escaped
Nonce Checks
33
Capability Checks
55
File Operations
13
External Requests
5
Bundled Libraries
0

SQL Query Safety

38% prepared21 total queries

Output Escaping

95% escaped943 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

16 flows1 with unsanitized paths
handle_import_file (includes\admin\pages\class-wpcode-admin-page-tools.php:601)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager Attack Surface

Entry Points20
Unprotected1

AJAX Handlers 19

authwp_ajax_wpcode_update_snippet_statusincludes\admin\admin-ajax-handlers.php:12
authwp_ajax_wpcode_filter_snippets_by_typeincludes\admin\admin-ajax-handlers.php:13
authwp_ajax_wpcode_search_termsincludes\admin\admin-ajax-handlers.php:14
authwp_ajax_wpcode_generate_snippetincludes\admin\admin-ajax-handlers.php:15
authwp_ajax_wpcode_save_generated_snippetincludes\admin\admin-ajax-handlers.php:16
authwp_ajax_wpcode_verify_sslincludes\admin\admin-ajax-handlers.php:17
authwp_ajax_wpcode_save_editor_heightincludes\admin\admin-ajax-handlers.php:19
authwp_ajax_wpcode_get_shortcode_locationsincludes\admin\admin-ajax-handlers.php:20
authwp_ajax_wpcode_sync_snippetincludes\admin\admin-ajax-handlers.php:21
authwp_ajax_wpcode_save_preview_cssincludes\admin\admin-ajax-handlers.php:22
authwp_ajax_wpcode_clear_preview_cssincludes\admin\admin-ajax-handlers.php:23
authwp_ajax_wpcode_set_preview_cssincludes\admin\admin-ajax-handlers.php:24
authwp_ajax_wpcode_notice_dismissincludes\admin\class-wpcode-admin-notice.php:63
authwp_ajax_wpcode_notification_dismissincludes\admin\class-wpcode-notifications.php:53
authwp_ajax_wpcode_install_pluginincludes\admin\class-wpcode-suggested-plugins.php:28
authwp_ajax_wpcode_library_store_authincludes\class-wpcode-library-auth.php:44
authwp_ajax_wpcode_library_delete_authincludes\class-wpcode-library-auth.php:45
authwp_ajax_wpcode_connect_urlincludes\lite\admin\class-wpcode-connect.php:33
noprivwp_ajax_wpcode_connect_processincludes\lite\admin\class-wpcode-connect.php:34

Shortcodes 1

[wpcode] includes\shortcode.php:12
WordPress Hooks 161
actionactivate_wpcode-premium/wpcode.phpihaf.php:55
actionactivate_insert-headers-and-footers/ihaf.phpihaf.php:68
actiondeactivate_insert-headers-and-footers/ihaf.phpihaf.php:86
actionadmin_initihaf.php:101
actionadmin_noticesihaf.php:136
actionplugins_loadedihaf.php:296
filterheartbeat_receivedincludes\admin\admin-ajax-handlers.php:18
actionadmin_enqueue_scriptsincludes\admin\admin-scripts.php:12
filteradmin_body_classincludes\admin\admin-scripts.php:13
actionadmin_noticesincludes\admin\class-wpcode-admin-notice.php:60
actionwpcode_admin_noticesincludes\admin\class-wpcode-admin-notice.php:62
actionwpcode_admin_pageincludes\admin\class-wpcode-admin-notice.php:66
actionadmin_menuincludes\admin\class-wpcode-admin-page-loader.php:43
filterparent_fileincludes\admin\class-wpcode-admin-page-loader.php:47
filterset-screen-optionincludes\admin\class-wpcode-admin-page-loader.php:50
filterset_screen_option_wpcode_snippets_per_pageincludes\admin\class-wpcode-admin-page-loader.php:51
filterget_user_metadataincludes\admin\class-wpcode-code-editor.php:75
actionadmin_initincludes\admin\class-wpcode-features-notices.php:28
actionadmin_noticesincludes\admin\class-wpcode-features-notices.php:76
actionwpcode_admin_noticesincludes\admin\class-wpcode-features-notices.php:77
actionadmin_initincludes\admin\class-wpcode-metabox-snippets.php:77
actionadd_meta_boxesincludes\admin\class-wpcode-metabox-snippets.php:78
actionadmin_headincludes\admin\class-wpcode-metabox-snippets.php:79
actionwpcode_admin_notifications_updateincludes\admin\class-wpcode-notifications.php:55
actiontemplate_redirectincludes\admin\class-wpcode-preview-frame.php:26
filtershow_admin_barincludes\admin\class-wpcode-preview-frame.php:58
filterwpcode_snippet_output_cssincludes\admin\class-wpcode-preview-frame.php:68
filterwpcode_snippet_output_scssincludes\admin\class-wpcode-preview-frame.php:69
filterwpcode_get_snippets_for_locationincludes\admin\class-wpcode-preview-frame.php:72
actionwp_enqueue_scriptsincludes\admin\class-wpcode-preview-frame.php:75
actionwp_enqueue_scriptsincludes\admin\class-wpcode-preview-frame.php:76
actionadmin_initincludes\admin\class-wpcode-review.php:22
filteradmin_footer_textincludes\admin\class-wpcode-review.php:25
actionadmin_initincludes\admin\class-wpcode-suggested-plugins.php:30
actionadmin_headincludes\admin\class-wpcode-suggested-plugins.php:333
actioninitincludes\admin\class-wpcode-usage-tracking.php:50
actionwpcode_usage_tracking_cronincludes\admin\class-wpcode-usage-tracking.php:51
actionwpcode_library_api_auth_connectedincludes\admin\class-wpcode-usage-tracking.php:52
actionadmin_initincludes\admin\pages\class-wpcode-admin-page-click.php:55
actioncurrent_screenincludes\admin\pages\class-wpcode-admin-page-code-snippets.php:44
actionadmin_initincludes\admin\pages\class-wpcode-admin-page-code-snippets.php:45
actionload-toplevel_page_wpcodeincludes\admin\pages\class-wpcode-admin-page-code-snippets.php:46
actionwpcode_admin_noticesincludes\admin\pages\class-wpcode-admin-page-code-snippets.php:47
actionload-toplevel_page_wpcodeincludes\admin\pages\class-wpcode-admin-page-code-snippets.php:50
filterdefault_hidden_columnsincludes\admin\pages\class-wpcode-admin-page-code-snippets.php:52
filterwpcode_admin_js_dataincludes\admin\pages\class-wpcode-admin-page-code-snippets.php:53
filterscreen_settingsincludes\admin\pages\class-wpcode-admin-page-code-snippets.php:54
filterremovable_query_argsincludes\admin\pages\class-wpcode-admin-page-code-snippets.php:56
actionadmin_initincludes\admin\pages\class-wpcode-admin-page-duplicator.php:49
filterwpcode_editor_configincludes\admin\pages\class-wpcode-admin-page-file-editor.php:49
actionwpcode_admin_page_content_wpcode-headers-footersincludes\admin\pages\class-wpcode-admin-page-headers-footers.php:61
actionadmin_initincludes\admin\pages\class-wpcode-admin-page-headers-footers.php:94
actionadmin_initincludes\admin\pages\class-wpcode-admin-page-library.php:76
filterwpcode_admin_js_dataincludes\admin\pages\class-wpcode-admin-page-live-preview.php:84
actionadmin_initincludes\admin\pages\class-wpcode-admin-page-search-replace.php:49
actionadmin_initincludes\admin\pages\class-wpcode-admin-page-settings.php:77
filterwpcode_admin_js_dataincludes\admin\pages\class-wpcode-admin-page-settings.php:78
actionadmin_initincludes\admin\pages\class-wpcode-admin-page-snippet-manager.php:146
filtersubmenu_fileincludes\admin\pages\class-wpcode-admin-page-snippet-manager.php:147
filteradmin_titleincludes\admin\pages\class-wpcode-admin-page-snippet-manager.php:148
actionadmin_initincludes\admin\pages\class-wpcode-admin-page-snippet-manager.php:149
actionadmin_initincludes\admin\pages\class-wpcode-admin-page-snippet-manager.php:150
filterwpcode_admin_js_dataincludes\admin\pages\class-wpcode-admin-page-snippet-manager.php:151
filteradmin_body_classincludes\admin\pages\class-wpcode-admin-page-snippet-manager.php:152
filteradmin_body_classincludes\admin\pages\class-wpcode-admin-page-snippet-manager.php:153
filteradmin_body_classincludes\admin\pages\class-wpcode-admin-page-snippet-manager.php:154
filteradmin_headincludes\admin\pages\class-wpcode-admin-page-snippet-manager.php:155
actionwpcode_admin_noticesincludes\admin\pages\class-wpcode-admin-page-snippet-manager.php:156
filteruser_can_richeditincludes\admin\pages\class-wpcode-admin-page-snippet-manager.php:158
actionwpcode_admin_noticesincludes\admin\pages\class-wpcode-admin-page-snippet-manager.php:230
actionadmin_initincludes\admin\pages\class-wpcode-admin-page-tools.php:70
actionadmin_print_scriptsincludes\admin\pages\class-wpcode-admin-page-tools.php:71
filterwpcode_admin_js_dataincludes\admin\pages\class-wpcode-admin-page-tools.php:72
actionadmin_initincludes\admin\pages\class-wpcode-admin-page-tools.php:74
filterwpcode_admin_js_dataincludes\admin\pages\class-wpcode-admin-page-tools.php:76
actionadmin_menuincludes\admin\pages\class-wpcode-admin-page.php:114
actionwpcode_admin_pageincludes\admin\pages\class-wpcode-admin-page.php:125
actionwpcode_admin_pageincludes\admin\pages\class-wpcode-admin-page.php:126
actionadmin_enqueue_scriptsincludes\admin\pages\class-wpcode-admin-page.php:127
filteradmin_body_classincludes\admin\pages\class-wpcode-admin-page.php:128
filterwpcode_admin_js_dataincludes\admin\pages\class-wpcode-admin-page.php:129
actionadmin_initincludes\admin\pages\class-wpcode-admin-page.php:130
filterposts_joinincludes\admin\pages\class-wpcode-code-snippets-table.php:770
filterposts_whereincludes\admin\pages\class-wpcode-code-snippets-table.php:771
filterposts_distinctincludes\admin\pages\class-wpcode-code-snippets-table.php:772
actionadmin_headincludes\auto-insert\class-wpcode-auto-insert-admin.php:78
actionadmin_footerincludes\auto-insert\class-wpcode-auto-insert-admin.php:79
actionadmin_initincludes\auto-insert\class-wpcode-auto-insert-admin.php:106
filterthe_excerptincludes\auto-insert\class-wpcode-auto-insert-archive.php:98
filterthe_excerptincludes\auto-insert\class-wpcode-auto-insert-archive.php:99
actionthe_postincludes\auto-insert\class-wpcode-auto-insert-archive.php:100
actionthe_postincludes\auto-insert\class-wpcode-auto-insert-archive.php:101
actionplugins_loadedincludes\auto-insert\class-wpcode-auto-insert-everywhere.php:159
actionwpincludes\auto-insert\class-wpcode-auto-insert-everywhere.php:160
actionthe_postincludes\auto-insert\class-wpcode-auto-insert-single.php:112
filterrender_block_core/template-partincludes\auto-insert\class-wpcode-auto-insert-single.php:113
actionthe_contentincludes\auto-insert\class-wpcode-auto-insert-single.php:114
filterthe_contentincludes\auto-insert\class-wpcode-auto-insert-single.php:115
filterthe_contentincludes\auto-insert\class-wpcode-auto-insert-single.php:116
filterthe_contentincludes\auto-insert\class-wpcode-auto-insert-single.php:117
actionwp_headincludes\auto-insert\class-wpcode-auto-insert-site-wide.php:80
actionwp_footerincludes\auto-insert\class-wpcode-auto-insert-site-wide.php:81
actionwp_body_openincludes\auto-insert\class-wpcode-auto-insert-site-wide.php:82
actionadmin_initincludes\auto-insert\class-wpcode-auto-insert-type.php:129
actionwpincludes\auto-insert\class-wpcode-auto-insert-type.php:156
filtermap_meta_capincludes\capabilities.php:13
actionwp_abilities_api_categories_initincludes\class-wpcode-abilities-api.php:25
actionwp_abilities_api_initincludes\class-wpcode-abilities-api.php:26
actionplugins_loadedincludes\class-wpcode-admin-bar-info.php:32
filterwpcode_snippet_outputincludes\class-wpcode-admin-bar-info.php:79
actionadmin_bar_menuincludes\class-wpcode-admin-bar-info.php:82
actionadmin_bar_menuincludes\class-wpcode-admin-bar-info.php:84
actionwp_footerincludes\class-wpcode-admin-bar-info.php:87
actionadmin_footerincludes\class-wpcode-admin-bar-info.php:88
actionadmin_initincludes\class-wpcode-admin-bar-info.php:90
actionadmin_enqueue_scriptsincludes\class-wpcode-admin-bar-info.php:91
actiontemplate_redirectincludes\class-wpcode-admin-bar-info.php:92
actionplugins_loadedincludes\class-wpcode-auto-insert.php:43
actionplugins_loadedincludes\class-wpcode-conditional-logic.php:25
actionadmin_initincludes\class-wpcode-error.php:47
actionplugins_loadedincludes\class-wpcode-file-logger.php:57
actionadmin_initincludes\class-wpcode-install.php:22
actiontrash_wpcodeincludes\class-wpcode-library.php:110
actiontransition_post_statusincludes\class-wpcode-library.php:111
actionwpcode_library_api_auth_connectedincludes\class-wpcode-library.php:112
actionwpcode_library_api_auth_connectedincludes\class-wpcode-library.php:113
actionwpcode_library_api_auth_deletedincludes\class-wpcode-library.php:114
actionshutdownincludes\class-wpcode-library.php:125
filterwpcode_use_auto_insert_cacheincludes\class-wpcode-snippet-cache.php:127
filterwp_php_error_messageincludes\class-wpcode-snippet-execute.php:73
filterwpcode_snippet_output_phpincludes\class-wpcode-snippet-execute.php:74
filterpto/posts_orderby/ignoreincludes\compat.php:147
actionwp_headincludes\global-output.php:12
actionwp_footerincludes\global-output.php:13
actionwp_body_openincludes\global-output.php:14
actionadmin_enqueue_scriptsincludes\lite\admin\admin-scripts.php:12
actionadmin_headincludes\lite\admin\admin-scripts.php:13
actionadmin_menuincludes\lite\admin\class-wpcode-admin-page-loader-lite.php:22
actionadmin_headincludes\lite\admin\class-wpcode-admin-page-loader-lite.php:23
actionadmin_headincludes\lite\admin\class-wpcode-admin-page-loader-lite.php:24
actionwpcode_admin_page_content_wpcode-settingsincludes\lite\admin\class-wpcode-connect.php:32
actionadmin_initincludes\lite\admin\notices.php:10
actionwpcode_admin_pageincludes\lite\admin\notices.php:11
actionwpcode_admin_page_content_wpcode-headers-footersincludes\lite\admin\notices.php:12
actionplugins_loadedincludes\lite\loader.php:35
actioninitincludes\post-type.php:12
actioninitincludes\post-type.php:13
filterupdate_post_term_count_statusesincludes\post-type.php:14
actionwpcode_before_snippet_saveincludes\post-type.php:15
actionwpcode_snippet_after_updateincludes\post-type.php:16
filterwp_import_post_data_rawincludes\post-type.php:17
actionplugins_loadedincludes\safe-mode.php:12
filterwpcode_do_auto_insertincludes\safe-mode.php:13
filterhome_urlincludes\safe-mode.php:28
filteradmin_urlincludes\safe-mode.php:29
filtersite_urlincludes\safe-mode.php:30
actionadmin_footerincludes\safe-mode.php:32
actionadmin_noticesincludes\safe-mode.php:34
actionwpcode_admin_noticesincludes\safe-mode.php:35
actionwpcode_shortcode_before_outputincludes\shortcode.php:13
filterwpcode_shortcode_attribute_valueincludes\shortcode.php:15

Scheduled Events 2

wpcode_admin_notifications_update
wpcode_usage_tracking_cron
Maintenance & Trust

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 12, 2026
PHP min version7.0
Downloads82.8M

Community Trust

Rating98/100
Number of ratings1,761
Active installs3.0M
Alternatives

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager Alternatives

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts

insert-php

A
91

Insert PHP, JavaScript, CSS, HTML, ads, and tracking code into WordPress headers, footers, pages, and content using conditional logic, without editing &hellip;

60K 7 CVEs
Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript

Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript

add-custom-codes

D
39

Add custom codes to your wordpress site. A completely free plugin to add Custom PHP functions, HTML, CSS, Javascript, any other codes to your website.

1K 4 unpatched
Code Manager

Code Manager

code-manager

A
100

Write, test and deploy PHP, JavaScript, CSS and HTML code blocks from the WordPress dashboard.

500 No CVEs
Code Snippets

Code Snippets

code-snippets

A
89

An easy, clean and simple way to enhance your site with code snippets.

1.0M 7 CVEs
Header Footer Code Manager

Header Footer Code Manager

header-footer-code-manager

A
98

Easily add tracking code snippets, conversion pixels, or other scripts required by third party services for analytics, marketing, or chat features.

600K 4 CVEs
Developer Profile

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
795 days
View full developer profile
Detection Fingerprints

How We Detect WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/insert-headers-and-footers/assets/css/frontend.css/wp-content/plugins/insert-headers-and-footers/assets/js/frontend.js
Version Parameters
insert-headers-and-footers/assets/css/frontend.css?ver=insert-headers-and-footers/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- wpcode-notice --><!-- wpcode_admin_page -->
Data Attributes
data-wpcode-nonce
JS Globals
window.wpCodeFrontend
FAQ

Frequently Asked Questions about WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager