Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Novium WoWHead Tooltips wowhead-tooltips allows Stored XSS.This issue affects WoWHead Tooltips: from n/a through <= 2.0.1.
Published: 2025-04-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Novium’s WoWHead Tooltips plugin contains an improper input neutralization flaw that permits an attacker to store malicious script code within the plugin’s configuration or content fields. The vulnerability allows a stored XSS attack, enabling the injection of arbitrary client‑side code into rendered web pages. This can compromise user credentials, deface the site, or facilitate further attacks in the victim’s browser, impacting confidentiality, integrity, and availability of the affected WordPress installation.

Affected Systems

The flaw affects all releases of the WoWHead Tooltips plugin up to and including version 2.0.1. WordPress sites that have installed or upgraded to these versions are vulnerable unless they have applied a later patch or removed the plugin entirely.

Risk and Exploitability

The CVSS score of 7.1 indicates high risk from an application perspective. The EPSS score of less than 1% suggests that, as of this analysis, exploitation is unlikely in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, because the flaw is stored XSS, the attack vector is likely remote: any user or attacker who can inject content into the plugin’s input fields can store malicious code that will run in the browsers of all site visitors. The impact is continuous until the plugin is updated or removed.

Generated by OpenCVE AI on April 30, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WoWHead Tooltips plugin to the latest available version that contains the patch for this XSS flaw.
  • If the plugin cannot be upgraded immediately, remove or disable it entirely to eliminate the attack surface.
  • Apply a Content Security Policy that restricts script execution to trusted sources, providing an additional layer of protection against any residual XSS.

Generated by OpenCVE AI on April 30, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12052 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Novium WoWHead Tooltips allows Stored XSS. This issue affects WoWHead Tooltips: from n/a through 2.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Novium WoWHead Tooltips allows Stored XSS. This issue affects WoWHead Tooltips: from n/a through 2.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Novium WoWHead Tooltips wowhead-tooltips allows Stored XSS.This issue affects WoWHead Tooltips: from n/a through <= 2.0.1.
Title WordPress WoWHead Tooltips <= 2.0.1 - Cross Site Scripting (XSS) Vulnerability WordPress WoWHead Tooltips plugin <= 2.0.1 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Novium WoWHead Tooltips allows Stored XSS. This issue affects WoWHead Tooltips: from n/a through 2.0.1.
Title WordPress WoWHead Tooltips <= 2.0.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.472Z

Reserved: 2025-04-24T14:22:16.422Z

Link: CVE-2025-46449

cve-icon Vulnrichment

Updated: 2025-04-24T19:53:39.029Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:35.947

Modified: 2026-04-23T15:30:00.700

Link: CVE-2025-46449

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:00:15Z

Weaknesses