CVE-2025-48316

Vulnerability

Overview

The Responsive Mobile-Friendly Tooltip plugin for WordPress versions up to and including 1.6.6 suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. The plugin fails to sanitize or escape input before storing it in the database and later rendering it on the frontend, allowing arbitrary HTML and JavaScript to be injected.

Exploitation

Conditions

Exploitation requires an authenticated user with at least contributor-level privileges who can create or edit tooltip content. The attacker can inject a malicious payload into a tooltip field, which is then stored and executed when any visitor loads a page containing that tooltip [1]. No additional user interaction is needed for the victim; the script runs automatically in their browser.

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can be used to redirect users to malicious sites, display unwanted advertisements, steal session cookies or sensitive data, or deface the website [1]. The vulnerability is considered medium severity (CVSS 6.5) and is known to be targeted in mass-exploit campaigns.

Mitigation

The vendor has released a patched version (1.6.7 or later). Users are strongly advised to update the plugin immediately. If updating is not possible, consider disabling the plugin or seeking assistance from a hosting provider or web developer [1]. No other workarounds are documented.