{"id":17994,"date":"2012-09-23T16:39:03","date_gmt":"2012-09-23T16:39:03","guid":{"rendered":"https:\/\/wordpress.org\/plugins-wp\/add-code-to-head\/"},"modified":"2026-04-23T01:25:36","modified_gmt":"2026-04-23T01:25:36","slug":"add-code-to-head","status":"publish","type":"plugin","link":"https:\/\/cor.wordpress.org\/plugins\/add-code-to-head\/","author":9117323,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.23","stable_tag":"1.23","tested":"6.9.4","requires":"6.1","requires_php":"8.0","requires_plugins":null,"header_name":"Add Code to Head","header_author":"HBJitney, LLC","header_description":"","assets_banners_color":"","last_updated":"2026-04-23 01:25:36","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"http:\/\/hbjitney.com\/add-code-to-header.html","header_author_uri":"http:\/\/hbjitney.com\/","rating":5,"author_block_rating":0,"active_installs":3000,"downloads":42319,"num_ratings":2,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.07":{"tag":"1.07","author":"salubrio","date":"2012-09-23 17:20:34"},"1.09":{"tag":"1.09","author":"salubrio","date":"2012-09-23 17:53:33"},"1.13":{"tag":"1.13","author":"salubrio","date":"2016-09-08 18:45:59"},"1.15":{"tag":"1.15","author":"salubrio","date":"2021-06-12 20:29:17"},"1.17":{"tag":"1.17","author":"salubrio","date":"2025-03-26 21:56:54"},"1.23":{"tag":"1.23","author":"salubrio","date":"2026-04-23 01:25:36"}},"upgrade_notice":{"1.21":"<ul>\n<li>No-change release<\/li>\n<li>Internal synchronization; no effect on users (you can stay on v1.21 if you like)<\/li>\n<\/ul>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":"2"},"assets_icons":{"icon-256x256.png":{"filename":"icon-256x256.png","revision":1263627,"resolution":"256x256","location":"assets","locale":""},"icon.svg":{"filename":"icon.svg","revision":1263627,"resolution":false,"location":"assets","locale":false}},"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.07","1.09","1.13","1.15","1.17","1.23"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3513296,"resolution":"1","location":"plugin"}},"screenshots":{"1":"Options screen"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[1214,356,229,975],"plugin_category":[43,59],"plugin_contributors":[],"plugin_business_model":[],"class_list":["post-17994","plugin","type-plugin","status-publish","hentry","plugin_tags-code","plugin_tags-css","plugin_tags-javascript","plugin_tags-template","plugin_category-customization","plugin_category-utilities-and-tools","plugin_committers-salubrio"],"banners":[],"icons":{"svg":"https:\/\/ps.w.org\/add-code-to-head\/assets\/icon.svg?rev=1263627","icon":"https:\/\/ps.w.org\/add-code-to-head\/assets\/icon.svg?rev=1263627","icon_2x":false,"generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/add-code-to-head\/trunk\/screenshot-1.png?rev=3513296","caption":"Options screen"}],"raw_content":"<!--section=description-->\n<p>Intended users: Template Designers, Developer, Admins<\/p>\n\n<p>If you wish to add any custom HTML to each page's header, then this plugin is for you.<\/p>\n\n<p>This is useful for verifying you are the owner of the website to services such as Mailchimp or Google. You can quickly add the verification codes to your page header without having to edit your site's template.<\/p>\n\n<p>In general, you can add custom CSS, a link to an external JavaScript file or something else. While it is generally recommended to create a child template if you're going to make extensive, permanent changes to a template, there may be instances where a small change or two is needed that wouldn't justify the creation of a child template&mdash;or your current template might not support child templates. You should nearly always avoid editing a template directly, because your changes will be lost when you next update the template.<\/p>\n\n<p>This plugin is not affected by template changes.<\/p>\n\n<h3>Acknowledgements<\/h3>\n\n<p>Plugin Icon (CC BY 3.0) by <a href=\"https:\/\/www.iconfinder.com\/denir\">DeniShop<\/a><\/p>\n\n<!--section=installation-->\n<h4>Via the WordPress install plugin option<\/h4>\n\n<ul>\n<li>Click the big 'Install Plugin' button in the plugin description window<\/li>\n<\/ul>\n\n<h4>Upload<\/h4>\n\n<p>If you have a single file (ending in \".zip\"), then use this method.<\/p>\n\n<ol>\n<li>From the plugins, add new, click on the <strong>upload<\/strong> button<\/li>\n<li>Navigate to where the .zip file is located and select it<\/li>\n<li>Make sure to <em>activate<\/em> the plugin once it is installed<\/li>\n<\/ol>\n\n<h4>Files<\/h4>\n\n<p>If you have multiple files in a directory, use this method.<\/p>\n\n<ol>\n<li>Upload the entire directory (not just the files) to the <code>\/wp-content\/plugins\/<\/code> directory<\/li>\n<li>Activate the plugin through the 'Plugins' menu in WordPress<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"q.%20will%20the%20latest%20changes%20resolve%20cve-2025-48314%3F\"><h3>Q. Will the latest changes resolve CVE-2025-48314?<\/h3><\/dt>\n<dd><p>The plugin now normalizes and sanitizes saved head code for users who do not have the <code>unfiltered_html<\/code> capability before it is stored, closing the stored XSS vector described in CVE-2025-48314 for untrusted roles. Site owners who intentionally grant <code>unfiltered_html<\/code> (such as administrators on single-site installs) still bypass this sanitization by design so they can insert arbitrary code.<\/p>\n\n<p><strong>Bottom line:<\/strong> the vulnerability of executing arbitrary code in the admin screens should be eliminated, however the functionality exists for <em>public<\/em> pages and is intentional. Only advanced users who know what they are doing should use this plugin.<\/p><\/dd>\n<dt id=\"q.%20why%20aren%27t%20my%20codes%20being%20added%20to%20the%20absolute%20end%20of%20the%20head%3F\"><h3>Q. Why aren't my codes being added to the absolute end of the head?<\/h3><\/dt>\n<dd><p>Another plugin or the theme is adding their own codes to the head <em>after<\/em> this plugin runs.<\/p><\/dd>\n<dt id=\"q.%20i%20don%27t%20know%20html%2Fjavascript%2Fcss%3B%20can%20i%20still%20use%20this%20plugin%3F\"><h3>Q. I don't know HTML\/JavaScript\/CSS; can I still use this plugin?<\/h3><\/dt>\n<dd><p>You can, but you shouldn't. It is far too easy to break your site if you don't know what you are doing.<\/p><\/dd>\n<dt id=\"q.%20wordfence%20says%20something%20like%20%22a%20potentially%20unsafe%20operation%20has%20been%20detected%20in%20your%20request%20to%20this%20site.%22\"><h3>Q. Wordfence says something like \"A potentially unsafe operation has been detected in your request to this site.\"<\/h3><\/dt>\n<dd><p>If you try to add a script or some other potentially-dangerous code (even if it isn't), Wordfence might complain. Double check your code and if it is okay, mark it as a false positive in Wordfence.<\/p><\/dd>\n<dt id=\"q.%20help%21%20i%20messed%20up%20my%20whole%20site%21\"><h3>Q. Help! I messed up my whole site!<\/h3><\/dt>\n<dd><p>Disable the plugin. If your site is still messed up, then there's some other problem.<\/p><\/dd>\n<dt id=\"q.%20i%20disabled%20your%20plugin%20and%20the%20problem%20went%20away.%20now%20what%3F\"><h3>Q. I disabled your plugin and the problem went away. Now what?<\/h3><\/dt>\n<dd><p>The problem lies in whatever you typed\/pasted into this plugin's option screen. If you're really stuck, then try clearing out the code and starting over.<\/p><\/dd>\n<dt id=\"q.%20help%21%20i%20accidentally%20erased%20the%20code%20and%20i%20didn%27t%20mean%20to%20do%20that.\"><h3>Q. Help! I accidentally erased the code and I didn't mean to do that.<\/h3><\/dt>\n<dd><p>Similar to <a href=\"https:\/\/codex.wordpress.org\/WordPress_Widgets\">how widgets work<\/a>, that data is stored in your database. If you made a backup before you deleted the data, then you can restore it that way, otherwise it is gone.<\/p><\/dd>\n<dt id=\"q.%20how%20do%20i%20apply%20code%20to%20only%20a%20certain%20page%20or%20pages%3F\"><h3>Q. How do I apply code to only a certain page or pages?<\/h3><\/dt>\n<dd><p>Right now you cannot. If there is sufficient demand, then we'll add it.<\/p><\/dd>\n<dt id=\"q.%20can%20i%20ask%20for%20additional%20functionality%3F\"><h3>Q. Can I ask for additional functionality?<\/h3><\/dt>\n<dd><p>Absolutely!<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.21<\/h4>\n\n<ul>\n<li>Fixed bug that caused extra space to be added to head contents.<\/li>\n<li>Code quality and best-practice pass. No database schema changes; existing saved code is unaffected.<\/li>\n<\/ul>\n\n<h4>1.19<\/h4>\n\n<ul>\n<li>Fix for CVE ID: CVE\u20112025\u201148314<\/li>\n<li>Stored head code is sanitized for users without <code>unfiltered_html<\/code>, mitigating the cross-site scripting (XSS) issue for untrusted roles<\/li>\n<li>Note: arbitrary code insertion on public pages remains intentional (and is the point of this plugin).<\/li>\n<\/ul>\n\n<h4>1.17<\/h4>\n\n<ul>\n<li>Tested compatibility up to WP 6.7.1<\/li>\n<li>Added note about Wordfence error that might be encountered<\/li>\n<\/ul>\n\n<h4>1.15<\/h4>\n\n<ul>\n<li>Tested compatibility up to WP 5.7.2<\/li>\n<li>Reformatted script: converted tabs to spaces<\/li>\n<\/ul>\n\n<h4>1.13<\/h4>\n\n<ul>\n<li>Tested compatibility up to WP 4.6.1<\/li>\n<\/ul>\n\n<h4>1.11<\/h4>\n\n<ul>\n<li>Name changed to (hopefully) reduce confusion.<\/li>\n<\/ul>\n\n<h4>1.10<\/h4>\n\n<ul>\n<li>Screenshot updated<\/li>\n<li>Compatibility with latest WordPress<\/li>\n<\/ul>\n\n<h4>1.09<\/h4>\n\n<ul>\n<li>Readme file added<\/li>\n<\/ul>\n\n<h4>1.07<\/h4>\n\n<ul>\n<li>Original release<\/li>\n<\/ul>","raw_excerpt":"Add custom JavaScript\/HTML\/CSS codes to the page head without editing the template.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cor.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/17994","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cor.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/cor.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/cor.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=17994"}],"author":[{"embeddable":true,"href":"https:\/\/cor.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/salubrio"}],"wp:attachment":[{"href":"https:\/\/cor.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=17994"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/cor.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=17994"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/cor.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=17994"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/cor.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=17994"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/cor.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=17994"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/cor.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=17994"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}