Description
The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-09
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Tooltip plugin for WordPress is vulnerable to stored cross‑site scripting. When an authenticated contributor or higher user inserts a shortcode with arbitrary attributes, the plugin fails to sanitize or escape those attributes, causing the malicious code to be stored in the page content. When any user views that content, the script is executed in their browser, potentially allowing the attacker to steal the user’s session cookies, alter the page, or perform other malicious actions.

Affected Systems

WordPress sites that have the Tooltip plugin installed, versions 1.0.2 or earlier. The vulnerability exists regardless of other plugins or themes; it specifically affects the plugin’s shortcode handling.

Risk and Exploitability

The severity score of 6.4 and an EPSS lower than 1 % point to a moderate risk with a low probability of exploitation in the wild. Because the flaw requires authentication with contributor level or higher, a typical attacker must control or compromise a privileged account, but once in hand they can target any user who views injected content. The exploit path is straightforward: create a post with a malicious‑attribute shortcode, which is stored and then served to all visitors. As the exploit is simple and its impact is exactly that of stored XSS, a site owner should treat it as a non‑critical but actionable issue if no immediate patch is available.

Generated by OpenCVE AI on April 20, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Tooltip plugin to the latest release that fixes the XSS flaw.
  • If updating is not immediately possible, disable or delete existing shortcode instances and restrict the contributor role from inserting the shortcode, or use a role‑management plugin to limit that capability.
  • After applying the fix, review all posts containing the shortcode and purge any cached content to ensure no malicious payloads remain accessible.

Generated by OpenCVE AI on April 20, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Alobaidi
Alobaidi the Tooltip
Wordpress
Wordpress wordpress
Vendors & Products Alobaidi
Alobaidi the Tooltip
Wordpress
Wordpress wordpress

Fri, 09 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
Description The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title The Tooltip <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Alobaidi The Tooltip
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:24.148Z

Reserved: 2025-12-02T16:44:05.173Z

Link: CVE-2025-13908

cve-icon Vulnrichment

Updated: 2026-01-09T16:47:19.428Z

cve-icon NVD

Status : Deferred

Published: 2026-01-09T12:15:52.950

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13908

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:15:20Z

Weaknesses