Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jamel.Z Tooltipy bluet-keywords-tooltip-generator allows Stored XSS.This issue affects Tooltipy: from n/a through <= 5.5.6.
Published: 2025-09-03
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user input during web page generation, which allows an attacker to store malicious scripts in the Tooltipy WordPress plugin. When a site visitor loads a page that contains the stored payload, the script executes within the visitor’s browser context. This can lead to defacement, theft of session cookies, credential harvesting, or delivery of further malware. The flaw is a classic Stored XSS, classified as CWE‑79.

Affected Systems

The issue affects the Jamel.Z Tooltipy plugin (bluet‑keywords‑tooltip‑generator) for WordPress, specifically all versions up to and including 5.5.6. Users running any of those releases are potentially vulnerable until an update is applied.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity level, while the EPSS score of less than 1% shows a low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely abused. Attackers would need access to the plugin’s input areas, often requiring administrative privileges, but the stored nature of the flaw means the impact occurs for any visitor to the affected pages.

Generated by OpenCVE AI on April 30, 2026 at 02:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tooltipy to version 5.5.7 or later.
  • If an upgrade cannot be performed immediately, disable or delete the Tooltipy plugin.
  • As a temporary measure, restrict the role that can add or edit Tooltipy content to trusted administrators and optionally use a web application firewall or input sanitization plugin to filter out script payloads.

Generated by OpenCVE AI on April 30, 2026 at 02:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26552 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jamel.Z Tooltipy allows Stored XSS. This issue affects Tooltipy: from n/a through 5.5.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jamel.Z Tooltipy allows Stored XSS. This issue affects Tooltipy: from n/a through 5.5.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jamel.Z Tooltipy bluet-keywords-tooltip-generator allows Stored XSS.This issue affects Tooltipy: from n/a through <= 5.5.6.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 03 Sep 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tooltipy
Tooltipy tooltipy
Wordpress
Wordpress wordpress
Vendors & Products Tooltipy
Tooltipy tooltipy
Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jamel.Z Tooltipy allows Stored XSS. This issue affects Tooltipy: from n/a through 5.5.6.
Title WordPress Tooltipy Plugin <= 5.5.6 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Tooltipy Tooltipy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:44.097Z

Reserved: 2025-09-03T09:02:47.357Z

Link: CVE-2025-58614

cve-icon Vulnrichment

Updated: 2025-09-03T17:37:19.041Z

cve-icon NVD

Status : Deferred

Published: 2025-09-03T15:15:43.710

Modified: 2026-04-23T15:33:27.873

Link: CVE-2025-58614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:00:15Z

Weaknesses