CVE-2026-8894
Stored XSS in iWR Tooltip WordPress Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iwr_tooltip | iwr_tooltip | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The iWR Tooltip plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its `iwrtooltip` shortcode in versions up to and including 1.0. This vulnerability arises because the plugin does not properly sanitize or escape user-supplied input in the `title` attribute of the shortcode. Specifically, the `title` attribute is directly concatenated into an HTML attribute without using proper escaping functions like esc_attr().
As a result, authenticated users with contributor-level access or higher can inject arbitrary malicious scripts into pages. These scripts will execute whenever any user accesses the affected page, potentially compromising user security.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with contributor-level access or above to inject malicious scripts into WordPress pages via the iWR Tooltip plugin. When other users visit these pages, the injected scripts will execute in their browsers.
- It can lead to theft of user credentials or session cookies.
- It may enable unauthorized actions on behalf of users.
- It can result in defacement or manipulation of website content.
- It may facilitate further attacks such as phishing or malware distribution.