CVE-2025-62744

Vulnerability

Overview

The Page Title Splitter WordPress plugin versions up to and including 2.5.9 suffer from a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an authenticated user with appropriate privileges to inject malicious HTML and JavaScript payloads that are stored on the server and later executed in the browsers of site visitors.

Attack

Vector

Exploitation requires a privileged user to perform an action—such as submitting a crafted form or clicking a link—that triggers the injection [1]. Once the payload is stored, any guest visiting an affected page will have the script executed automatically, leading to persistent code execution in the context of the victim's browser session.

Impact

Successful exploitation can lead to the execution of arbitrary scripts, including redirections, display of malicious advertisements, or theft of session cookies and other sensitive data [1]. This type of vulnerability is frequently targeted in mass-exploit campaigns against thousands of sites simultaneously.

Mitigation

The vendor has not released a patched version at the time of this writing. As an immediate action, users should update the plugin to the latest available version once a fix is released, or consult with their hosting provider for temporary workarounds [1].