The MyQtip – easy qTip2 plugin contains a stored cross‑site scripting flaw caused by insufficient sanitization of user‑supplied attributes in its shortcode. When a contributor or higher‑privileged user inserts a malicious script into a page or post via the "myqtip" shortcode, the offending code is persisted in the database and will execute in the browser of any visitor who loads that content. This can lead to theft of session tokens, defacement of pages, or the execution of further malicious payloads within the attacker’s own session. The vulnerability is a classic stored XSS and does not provide remote code execution, but it does enable attackers who have content‑editing rights to compromise the browsing session of anyone who views the affected page.

MyQtip – easy qTip2, a WordPress plugin developed by dgamoni. All releases up to and including version 2.0.5 are vulnerable; newer releases that remove the tainted shortcode handling are not affected.

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1 % shows a very low likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated user with contributor level or higher, who can edit or insert content that contains the malicious shortcode. Once inserted, the payload runs automatically for any visitor, making the attack highly effective once the content is published. The best‑practice remediation is to apply the vendor’s patch or upgrade to a version that eliminates the vulnerable shortcode processing.