CVE-2025-46449

Vulnerability

Overview The WoWHead Tooltips plugin for WordPress (versions up to and including 2.0.1) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input. This allows an attacker with contributor-level privileges or higher to inject arbitrary JavaScript into tooltip content, which is then stored and executed when other users view the affected pages.

Exploitation

Details Exploitation requires an authenticated user with the ability to create or edit posts (e.g., Contributor role). The attacker submits crafted input that bypasses sanitization. When a visitor loads a page containing the malicious tooltip, the injected script executes automatically without any user interaction. According to the advisory [1], this vulnerability is actively used in mass-exploit campaigns targeting thousands of WordPress sites.

Impact

Successful exploitation enables the attacker to perform a range of malicious actions, including redirecting visitors to phishing sites, injecting advertisements, stealing session cookies, or defacing the website. This compromises site integrity and can lead to reputational damage and loss of user trust.

Mitigation

The vendor has not released a patched version as of the advisory date. Users are strongly advised to update the plugin immediately if a fix becomes available. If updating is not possible, contact your hosting provider or a web developer for assistance. No workaround is currently documented.