Improper neutralization of input during page generation in the Page Title Splitter plugin allows attackers to embed malicious script code into the title field. Because the title is stored and later rendered in the browser, the injected code will execute in the context of every visitor to the affected page, potentially stealing cookies, hijacking sessions, or delivering phishing content. The flaw is a classic stored XSS (CWE‑79) that can compromise confidentiality and the integrity of the site’s displayed content.

The vulnerability affects the WordPress Page Title Splitter plugin distributed by Chris Steman, specifically all releases from the earliest version through version 2.5.9. WordPress sites that rely on any of these plugin versions are at risk unless the plugin is removed or updated.

With a CVSS score of 6.5 the issue is considered medium severity. The EPSS score of less than 1% indicates a very low probability of exploitation at current time, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would submit malicious JavaScript through a title input field, which is then stored by the plugin and rendered unfiltered when the page is displayed. The exploit does not require system‑level privileges, making it accessible to remote attackers who can interact with the site’s public or administrative interfaces.