WWordPress Vulnerability Database

Community Alert XSS in Page Title Splitter(CVE202562744)

Cross Site Scripting (XSS) in WordPress Page Title Splitter Plugin
0
Shares
0
0
0
0






Urgent Advisory: XSS in Page Title Splitter (≤ 2.5.9)


Plugin Name Page Title Splitter
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2025-62744
Urgency Low
CVE Publish Date 2025-12-31
Source URL CVE-2025-62744

Urgent Security Advisory: Cross‑Site Scripting (XSS) in “Page Title Splitter” WordPress Plugin (≤ 2.5.9)

Published: 2025-12-31 · CVE-2025-62744 · Hong Kong-based security practitioner advisory

Summary

  • A stored Cross‑Site Scripting (XSS) vulnerability affects the WordPress plugin “Page Title Splitter” versions up to and including 2.5.9 (CVE-2025-62744).
  • No official vendor patch was available at the time of this advisory. The vulnerability has a CVSS-equivalent impact around 6.5; it requires at least a Contributor-level user plus user interaction to exploit.
  • If your site allows untrusted contributors or has staff who preview or click content from contributors, treat this as a high-priority mitigation task.

I am writing as a Hong Kong-based WordPress security practitioner. This advisory gives clear, practical steps you can apply quickly — minimal theory, direct actions for site owners, operators and plugin developers.

What is the vulnerability?

  • Type: Cross‑Site Scripting (XSS)
  • Affected software: Page Title Splitter plugin for WordPress
  • Affected versions: ≤ 2.5.9
  • CVE: CVE-2025-62744
  • Reported by: Muhammad Yudha – DJ
  • Attack preconditions: Attacker requires a Contributor-level account (or similar) on the target site and some user interaction (victim clicks a crafted link or views a page).
  • Impact: Injected JavaScript/HTML may run in the context of site visitors or logged-in users, enabling session theft, privilege escalation, content manipulation, redirects or client-side payloads.

High-level technical description (non‑exploitative)

This stored XSS occurs when user-supplied data is output without adequate escaping/encoding. The plugin processes titles and UI elements that are later rendered in pages viewed by other users. When untrusted input is treated as HTML rather than data, script injection becomes possible. The vulnerability requires interaction and a Contributor account, so it is less trivial than unauthenticated remote attacks, but still realistic in many editorial workflows.

Why this matters to your site

Even with the Contributor requirement and user interaction, many WordPress sites are exposed because:

  • External contributors (guest authors, community members) are commonly allowed to post.
  • Editors and admins routinely click preview links or review submissions.
  • Shared credentials, long sessions and automation increase risk of pivot or persistence.

Realistic exploitation scenarios

  • Targeted social engineering: A malicious contributor submits a post with a crafted title containing a payload. An editor previews or opens the post and the script executes in their browser.
  • Stored XSS persistence: Payload is stored in content and fires whenever the page is viewed, affecting many users.
  • Defacement and redirects: Attackers can alter page content, redirect visitors to scam pages or inject additional malicious resources.
Important constraints: Exploitation requires user interaction and Contributor privileges. This reduces the chance of worm-like spread but does not remove serious targeted risk.

How to detect if you’ve been exploited

Search for these indicators on affected sites:

  • Unexpected or unfamiliar JavaScript in page source. Search for