Description
The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` shortcode `before` and `after` attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-22
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The KIA Subtitle plugin for WordPress contains a stored cross‑site scripting flaw that lets an authenticated attacker with Contributor or higher privileges inject arbitrary JavaScript into the "before" and "after" attributes of the "the‑subtitle" shortcode. Because the plugin does not sanitize or escape these attributes, the injected script is persisted and executed in the browser whenever a user views a page containing the shortcode. This vulnerability can be leveraged to hijack sessions, deface content, or exfiltrate information from the victim’s browser.

Affected Systems

The affected component is the helgatheviking:KIA Subtitle plugin, versions up to and including 4.0.1. WordPress sites that have installed these versions and grant at least Contributor permissions are vulnerable. Upgrading to 4.0.2 or later eliminates the flaw.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, and the EPSS score is not reported. Because the exploit requires authenticated access but only contributor‑level roles, it can be used by a wide range of internal users or compromised accounts, but it is not listed in CISA’s KEV catalog. An attacker would embed malicious code within an existing post or page via the shortcode editor, and the script would run for all subsequent visitors to that content.

Generated by OpenCVE AI on May 22, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the KIA Subtitle plugin to the latest version (4.0.2 or newer) which includes proper input sanitization for the "before" and "after" attributes.
  • If a patch cannot be applied immediately, remove the "the‑subtitle" shortcode from posts or restrict its usage to administrators only.
  • Audit existing publications for the vulnerable shortcode, delete or sanitize any malicious instances, and consider adding runtime output filtering through a security plugin such as Wordfence.

Generated by OpenCVE AI on May 22, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` shortcode `before` and `after` attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title KIA Subtitle <= 4.0.1 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-22T10:21:17.426Z

Reserved: 2026-04-30T15:05:30.264Z

Link: CVE-2026-7509

cve-icon Vulnrichment

Updated: 2026-05-22T10:21:10.124Z

cve-icon NVD

Status : Received

Published: 2026-05-22T05:16:27.747

Modified: 2026-05-22T05:16:27.747

Link: CVE-2026-7509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T06:30:29Z

Weaknesses