CVE-2026-7509

Name of the Vulnerable Software and Affected Versions KIA Subtitle plugin for WordPress versions prior to 4.0.2

Description The plugin is susceptible to Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient input sanitization and output escaping within the before and after attributes of the the-subtitle shortcode. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page.

Recommendations Update the plugin to a version later than 4.0.1. As a temporary workaround, restrict the use of the before and after attributes in the the-subtitle shortcode for users with Contributor-level access.