Chris Steman Page Title Splitter CVE-2025-62744
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Steman Page Title Splitter page-title-splitter allows Stored XSS.This issue affects Page Title Splitter: from n/a through <= 2.5.9.
AnalysisAI
Stored cross-site scripting (XSS) in Chris Steman Page Title Splitter WordPress plugin versions through 2.5.9 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators and visitors. The vulnerability exists in page generation functionality where user input is not properly sanitized before being rendered in web pages. EPSS score of 0.04% indicates low exploitation probability at present, with no confirmed active exploitation or public proof-of-concept identified.
Technical ContextAI
The vulnerability is a Stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in a WordPress plugin responsible for splitting and displaying page titles. The plugin fails to properly sanitize or escape user-supplied input before embedding it into dynamically generated HTML content served to visitors. WordPress plugins operate within the wp-admin and frontend rendering contexts; improper output encoding allows injected JavaScript to execute with the privileges of any user viewing the affected page, including administrators. The vulnerability likely exists in template rendering or data output functions where title or related metadata is displayed without adequate escaping functions like wp_kses_post() or esc_html().
Affected ProductsAI
Page Title Splitter WordPress plugin by Chris Steman in all versions from initial release through version 2.5.9 inclusive. The plugin is distributed via the official WordPress plugin repository and identified by slug page-title-splitter. Any WordPress installation with this plugin active and user roles permitting content contribution is affected.
RemediationAI
Update Page Title Splitter plugin to a patched version released after 2.5.9; check the official WordPress plugin repository (wordpress.org/plugins/page-title-splitter/) for the latest available version. If a newer version exists, upgrade immediately via WordPress admin dashboard (Plugins > Updates). Until a patched version is confirmed available, restrict plugin access by disabling it (Plugins > Deactivate) or limiting user roles with editing permissions to only trusted administrators. Review user permissions via WordPress user roles and capabilities to ensure only necessary users have contributor/editor/admin access. For additional details, consult the Patchstack security report at https://patchstack.com/database/Wordpress/Plugin/page-title-splitter/vulnerability/wordpress-page-title-splitter-plugin-2-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today