As many media player apps download subtitles from repositories they explicitly trust, all it takes is an attacker who sneaks a malicious file into the repository in such a way that you're likely to download it. An intruder can manipulate a ratings-based subtitle system to push their file to the top, for instance. Combine that with the complexity of the subtitle world (there are over 25 formats, and each media player handles them differently) and you get a plethora of security holes.

The good news: in some cases, it's fixed. PopcornTime, Stremio and VLC all have updated versions (you can find them in the source link below). However, it's not guaranteed that your client of choice has a patch ready and waiting. Kodi only has a source code fix available as of this writing. If you're using another media player with subtitle support, you may want to be careful about using it until you know that the programmers have addressed this exploit.