CVE-2025-62744
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Steman Page Title Splitter page-title-splitter allows Stored XSS.This issue affects Page Title Splitter: from n/a through <= 2.5.9.
Analysis
Stored cross-site scripting (XSS) in Chris Steman Page Title Splitter WordPress plugin versions through 2.5.9 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators and visitors. The vulnerability exists in page generation functionality where user input is not properly sanitized before being rendered in web pages. EPSS score of 0.04% indicates low exploitation probability at present, with no confirmed active exploitation or public proof-of-concept identified.
Technical Context
The vulnerability is a Stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in a WordPress plugin responsible for splitting and displaying page titles. The plugin fails to properly sanitize or escape user-supplied input before embedding it into dynamically generated HTML content served to visitors. WordPress plugins operate within the wp-admin and frontend rendering contexts; improper output encoding allows injected JavaScript to execute with the privileges of any user viewing the affected page, including administrators. The vulnerability likely exists in template rendering or data output functions where title or related metadata is displayed without adequate escaping functions like wp_kses_post() or esc_html().
Affected Products
Page Title Splitter WordPress plugin by Chris Steman in all versions from initial release through version 2.5.9 inclusive. The plugin is distributed via the official WordPress plugin repository and identified by slug page-title-splitter. Any WordPress installation with this plugin active and user roles permitting content contribution is affected.
Remediation
Update Page Title Splitter plugin to a patched version released after 2.5.9; check the official WordPress plugin repository (wordpress.org/plugins/page-title-splitter/) for the latest available version. If a newer version exists, upgrade immediately via WordPress admin dashboard (Plugins > Updates). Until a patched version is confirmed available, restrict plugin access by disabling it (Plugins > Deactivate) or limiting user roles with editing permissions to only trusted administrators. Review user permissions via WordPress user roles and capabilities to ensure only necessary users have contributor/editor/admin access. For additional details, consult the Patchstack security report at https://patchstack.com/database/Wordpress/Plugin/page-title-splitter/vulnerability/wordpress-page-title-splitter-plugin-2-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today