Does WP Subtitle have any unpatched vulnerabilities?

Yes — WP Subtitle currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WP Subtitle compatible with WordPress 6.9.4?

According to WordPress.org data, WP Subtitle 3.4.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WP Subtitle compatible with PHP 5.6+?

WP Subtitle requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Subtitle updated?

WP Subtitle was last updated on Mar 5, 2026. Frequent updates are generally a positive security signal.

What is WP Subtitle's security score?

WP Subtitle has a WP-Safety security score of 77/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Subtitle Security & Risk Analysis

wordpress.org/plugins/wp-subtitle

Add subtitles (subheadings) to your pages, posts or custom post types.

10K active installs v3.4.2 PHP 5.6+ WP 5.6+ Updated Mar 5, 2026

contentsubheadsubheadingsubtitletitle

B · Generally Safe

CVEs total2

Unpatched1

Last CVESep 22, 2025

Plugin page Download

Safety Verdict

Is WP Subtitle Safe to Use in 2026?

Mostly Safe

Score 77/100

WP Subtitle is generally safe to use. 2 past CVEs were resolved. Keep it updated.

2 known CVEs 1 unpatched Last CVE: Sep 22, 2025Updated 29d ago

Risk Assessment

The wp-subtitle plugin v3.4.2 exhibits a generally strong security posture based on static code analysis. The absence of dangerous functions, the complete reliance on prepared statements for SQL queries, and the proper escaping of all output are commendable practices. Furthermore, the presence of nonce and capability checks on entry points suggests a conscious effort to secure the plugin's functionalities. The attack surface is minimal and appears to be protected.

However, the plugin's vulnerability history presents a significant concern. With two known CVEs, one of which remains unpatched, the plugin has demonstrated a recurring susceptibility to Cross-Site Scripting (XSS) vulnerabilities. The fact that the last reported vulnerability was recent further emphasizes the ongoing risk. While the current version's code analysis doesn't reveal immediate exploitable flaws, the past pattern of XSS issues, especially with an unpatched vulnerability, indicates a potential for future exploits if not addressed.

In conclusion, the static code analysis for wp-subtitle v3.4.2 reveals good security implementation for its current code. Nonetheless, the presence of an unpatched medium-severity vulnerability and a history of XSS issues necessitates caution. The plugin's strengths lie in its secure coding practices, but its weakness lies in its past and present vulnerability landscape, particularly the unpatched CVE.

Key Concerns

Unpatched medium severity CVE
History of XSS vulnerabilities

Vulnerabilities

WP Subtitle Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-57986medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Subtitle <= 3.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025Unpatched

CVE-2022-1393medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Subtitle <= 3.4 - Cross-Site Scripting

Apr 25, 2022 Patched in 3.4.1 (638d)

Code Analysis

Analyzed Mar 16, 2026

WP Subtitle Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

29 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

100% escaped29 total outputs

Attack Surface

WP Subtitle Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[wp_subtitle] plugin\includes\shortcode.php:3

WordPress Hooks 30

actionplugins_loadedplugin\admin\admin.php:8

actionadmin_initplugin\admin\admin.php:23

actionpost_updatedplugin\admin\admin.php:24

actionsave_postplugin\admin\admin.php:25

actionadmin_enqueue_scriptsplugin\admin\admin.php:26

filter_wp_post_revision_fieldsplugin\admin\admin.php:28

actionwp_restore_post_revisionplugin\admin\admin.php:29

filtersanitize_post_meta_wps_subtitleplugin\admin\admin.php:31

actionadmin_headplugin\admin\admin.php:51

actionedit_form_after_titleplugin\admin\admin.php:52

actionadmin_headplugin\admin\admin.php:54

actionedit_form_topplugin\admin\admin.php:55

actionadd_meta_boxesplugin\admin\admin.php:57

actionquick_edit_custom_boxplugin\admin\admin.php:62

actionadmin_initplugin\admin\pointers.php:8

actionadmin_enqueue_scriptsplugin\admin\pointers.php:19

actionplugins/wp_subtitle/the_subtitleplugin\includes\class-api.php:36

filterplugins/wp_subtitle/get_subtitleplugin\includes\class-api.php:37

filterseopress_titles_template_variables_arrayplugin\includes\compat\seopress.php:43

filterseopress_titles_template_replace_arrayplugin\includes\compat\seopress.php:44

actioninitplugin\includes\compat\woocommerce.php:26

actionwoocommerce_single_product_summaryplugin\includes\compat\woocommerce.php:29

actionwoocommerce_shop_loop_item_titleplugin\includes\compat\woocommerce.php:33

filterwoocommerce_product_settingsplugin\includes\compat\woocommerce.php:37

filterwpseo_replacementsplugin\includes\compat\wordpress-seo.php:43

actionrest_api_initplugin\includes\rest.php:21

actionplugins_loadedplugin\plugin.php:35

actioninitplugin\plugin.php:36

filterwps_subtitleplugin\plugin.php:39

filterwps_subtitleplugin\plugin.php:40

Maintenance & Trust

WP Subtitle Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 5, 2026

PHP min version5.6

Downloads483K

Community Trust

Rating82/100

Number of ratings21

Active installs10K

Alternatives

WP Subtitle Alternatives

Correct My Headings

correct-my-headings

If your subheadings appear on archive pages, they need to start from H3 (because H2 tags are used by the post titles on archive pages).

10 No CVEs

Secondary Title

secondary-title

Secondary Title is a simple, lightweight plugin that allows you to easily add an alternative title to posts, pages, and/or custom post types.

8K 1 CVE

KIA Subtitle

kia-subtitle

The KIA Subtitle plugin allows you to add a subtitle to your posts.

8K No CVEs

Subtitles

subtitles

Add subtitles into your WordPress posts, pages, custom post types, and themes. No coding required. Simply activate Subtitles and you're ready.

3K No CVEs

Product Subtitle For WooCommerce

wc-product-subtitle

Product Subtitle For WooCommerce plugin allows you to easily add a subtitle to your Products.

3K No CVEs

Developer Profile

WP Subtitle Developer Profile

husani

2 plugins · 10K total installs

trust score

Avg Security Score

89/100

Avg Patch Time

638 days

View full developer profile

Detection Fingerprints

How We Detect WP Subtitle

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-subtitle/plugin/js/wp-subtitle-admin.js

Script Paths