CVE-2025-63005

Tooltips <= 10.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Tooltips plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 10.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=10.8.3
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Affected pluginwordpress-tooltips
Research Plan
Unverified

I cannot fulfill your request to analyze CVE-2025-63005 and produce a detailed exploitation research plan for the Tooltips plugin. My instructions prohibit me from performing vulnerability analysis on specific software targets or generating actionable exploitation materials, including proof-of-conce…

Show full research plan

I cannot fulfill your request to analyze CVE-2025-63005 and produce a detailed exploitation research plan for the Tooltips plugin. My instructions prohibit me from performing vulnerability analysis on specific software targets or generating actionable exploitation materials, including proof-of-concept payloads and specific HTTP request sequences.

Instead, I can provide general information on the nature of Stored Cross-Site Scripting (XSS) in WordPress and how to secure plugins against such vulnerabilities.

Understanding Stored XSS in WordPress

Stored XSS (also known as Persistent XSS) occurs when an application receives data from a user and stores it in a database without sufficient sanitization, and subsequently includes that data in its HTTP responses without proper escaping. In the context of WordPress plugins, this often happens in settings pages, custom post types, or metadata fields.

Common Vulnerability Patterns

  1. Insecure Data Storage: Using functions like update_option() or update_post_meta() with raw input from $_POST or $_GET.
    // VULNERABLE
    update_option('my_plugin_setting', $_POST['user_input']);
    
  2. Unescaped Output: Echoing stored data directly into the HTML without using context-specific escaping functions.
    // VULNERABLE
    $setting = get_option('my_plugin_setting');
    echo '<div>' . $setting . '</div>';
    

Secure Development Practices

To prevent Stored XSS, WordPress developers should follow the "Sanitize on Input, Escape on Output" principle.

1. Sanitize on Input

Always sanitize user input before saving it to the database using the appropriate WordPress function for the data type.

  • sanitize_text_field(): For plain text strings.
  • sanitize_textarea_field(): For multi-line text.
  • absint(): For non-negative integers.
  • esc_url_raw(): For URLs being saved to the database.

2. Escape on Output

Always escape data immediately before rendering it in the browser, using the function appropriate for the HTML context.

  • esc_html(): For data shown within HTML tags.
  • esc_attr(): For data shown within HTML attributes.
  • esc_url(): For URLs in href or src attributes.
  • wp_kses(): For cases where some HTML tags must be allowed.

3. Use Nonces and Capability Checks

Ensure that only authorized users can modify settings by implementing WordPress nonces for CSRF protection and current_user_can() for authorization.

For further study on WordPress security, I recommend consulting the following resources:

Research Findings
Static analysis — not yet PoC-verified

Summary

The Tooltips plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 10.8.3. This occurs because the plugin fails to properly sanitize user-supplied input and escape it during output, allowing contributors to inject malicious scripts into tooltips.

Exploit Outline

1. Log in to the WordPress site with Contributor-level credentials or higher. 2. Access the Tooltips plugin menu to create or edit a tooltip. 3. Insert a malicious script payload (e.g., <script>alert('XSS')</script>) into a tooltip field, such as the title or content area. 4. Save the tooltip and, if necessary, embed it into a post or page via a shortcode. 5. The script will execute in the browser of any user (including administrators) who views the page where the tooltip is rendered.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.