CVE-2026-7509 — Cross-Site Scripting (XSS)

May 22, 2026 08:16 /MEDIUM /CVSS 6.4/10

Written by SCW Vulnerability Desk Vulnerability Intelligence

National Vulnerability Database vulnerabilitycvemedium-severitycross-site-scripting-xsscwe-79

CVE-2026-7509 — Cross-Site Scripting (XSS)

CVE-2026-7509 — The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` shortcode `before` and `after` attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplie

What This Means For You

If your environment is affected by CWE-79, review your exposure and prioritize patching based on your environment. Monitor vendor advisories for CVE-2026-7509 updates and patches.

Related ATT&CK Techniques

T1059.007 Web Application Initial Access T1189 Drive-by Compromise Initial Access T1566.002 Cross-Site Scripting Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

medium T1189 Initial Access

CVE-2026-7509 - KIA Subtitle Plugin Stored XSS via Shortcode Attributes

Sigma YAML — free preview

title: CVE-2026-7509 - KIA Subtitle Plugin Stored XSS via Shortcode Attributes
id: scw-2026-05-22-ai-1
status: experimental
level: medium
description: |
  Detects the exploitation of CVE-2026-7509 in the KIA Subtitle WordPress plugin. This rule looks for web requests containing the plugin's path and the 'the-subtitle' shortcode with 'before' or 'after' attributes, specifically targeting potential XSS payloads containing '<script>' tags. This indicates an attempt to inject malicious scripts into pages via the vulnerable shortcode.
author: SCW Feed Engine (AI-generated)
date: 2026-05-22
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7509/
tags:
  - attack.initial_access
  - attack.t1189
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-content/plugins/kia-subtitle/'
      cs-uri-query|contains:
          - 'the-subtitle'
      cs-uri-query|contains:
          - 'before=' 
      cs-uri-query|contains:
          - 'after='
  selection_script_injection:
      cs-uri-query|contains:
          - '<script>'
      condition: selection AND selection_script_injection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

ID	Type	Indicator
CVE-2026-7509	vulnerability	CVE-2026-7509
CWE-79	weakness	CWE-79

Written by SCW Vulnerability Desk

Source & Attribution

Source Platform	NVD
Channel	National Vulnerability Database
Published	May 22, 2026 at 08:16 UTC

This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.

Believe this infringes your rights? Submit a takedown request.

What This Means For You

Related ATT&CK Techniques

🛡️ Detection Rules

CVE-2026-7509 - KIA Subtitle Plugin Stored XSS via Shortcode Attributes

Indicators of Compromise

Related coverage

WordPress Ditty Plugin: Authorization Bypass Exposes Non-Public Content

CVE-2026-8692 — The Vedrixa Forms – User Registration Form, Signup Form &

CVE-2026-8684 — The MotoPress Hotel Booking plugin for WordPress is