Skip to main content

Chris Steman Page Title Splitter CVE-2025-62744

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 13:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Steman Page Title Splitter page-title-splitter allows Stored XSS.This issue affects Page Title Splitter: from n/a through <= 2.5.9.

AnalysisAI

Stored cross-site scripting (XSS) in Chris Steman Page Title Splitter WordPress plugin versions through 2.5.9 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators and visitors. The vulnerability exists in page generation functionality where user input is not properly sanitized before being rendered in web pages. EPSS score of 0.04% indicates low exploitation probability at present, with no confirmed active exploitation or public proof-of-concept identified.

Technical ContextAI

The vulnerability is a Stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in a WordPress plugin responsible for splitting and displaying page titles. The plugin fails to properly sanitize or escape user-supplied input before embedding it into dynamically generated HTML content served to visitors. WordPress plugins operate within the wp-admin and frontend rendering contexts; improper output encoding allows injected JavaScript to execute with the privileges of any user viewing the affected page, including administrators. The vulnerability likely exists in template rendering or data output functions where title or related metadata is displayed without adequate escaping functions like wp_kses_post() or esc_html().

Affected ProductsAI

Page Title Splitter WordPress plugin by Chris Steman in all versions from initial release through version 2.5.9 inclusive. The plugin is distributed via the official WordPress plugin repository and identified by slug page-title-splitter. Any WordPress installation with this plugin active and user roles permitting content contribution is affected.

RemediationAI

Update Page Title Splitter plugin to a patched version released after 2.5.9; check the official WordPress plugin repository (wordpress.org/plugins/page-title-splitter/) for the latest available version. If a newer version exists, upgrade immediately via WordPress admin dashboard (Plugins > Updates). Until a patched version is confirmed available, restrict plugin access by disabling it (Plugins > Deactivate) or limiting user roles with editing permissions to only trusted administrators. Review user permissions via WordPress user roles and capabilities to ensure only necessary users have contributor/editor/admin access. For additional details, consult the Patchstack security report at https://patchstack.com/database/Wordpress/Plugin/page-title-splitter/vulnerability/wordpress-page-title-splitter-plugin-2-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve.

Share

CVE-2025-62744 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy