The vulnerability CVE-2025-57986 affects the husani WP Subtitle WordPress plugin (versions <= 3.4.1) and is classified as a stored cross-site scripting (XSS) flaw. It occurs due to improper neutralization of input during web page generation, which can allow an attacker with low privileges to inject malicious scripts that execute when other users view the affected pages. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) indicates network attack vector, low attack complexity, requiring low privileges and user interaction, with a scope change and low impact on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected site, potentially leading to partial disclosure of information, modification of content, or disruption of availability. The impact is limited by the requirement for user interaction and low privileges. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the plugin features to trusted users and monitor for suspicious activity related to script injection. Avoid clicking on untrusted links or content that could trigger the vulnerability. Follow updates from the plugin vendor or security advisories for patch availability.