CVE-2025-62917

Vulnerability

Details The Tooltipy plugin (bluet-keywords-tooltip-generator) versions up to 5.5.9 suffer from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows an attacker with contributor-level WordPress account to inject malicious JavaScript code into the plugin's tooltip content, which then executes whenever the tooltip is displayed on a page.

Exploitation

Exploitation requires the attacker to have at least contributor-level access to the WordPress site, enabling them to create or edit posts and insert tooltips. Once the malicious script is saved, it will be executed in the browsers of any user who views a page containing the compromised tooltip, including site administrators [1]. The vulnerability can be triggered without requiring additional user interaction from the victim beyond normal page viewing.

Impact

Successful exploitation allows an attacker to perform actions such as stealing authentication cookies, redirecting visitors to malicious sites, injecting advertisements, or defacing the site. This can lead to account compromise and further administrative takeover if an administrator's session is hijacked [1].

Mitigation

The developer has released a fix in a version beyond 5.5.9. Users are strongly advised to update the plugin immediately. If immediate update is not possible, consider disabling the plugin until the update can be applied [1].