The WP Wiki Tooltip plugin for WordPress, maintained by nida78, suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-13462. This vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. Specifically, the plugin fails to adequately sanitize and escape user-supplied attributes passed to its 'wiki' shortcode, which is used to embed tooltip content within WordPress pages. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages. Because the payload is stored, the malicious script executes every time any user accesses the compromised page, potentially affecting all visitors. The vulnerability does not require user interaction beyond visiting the page and can be exploited remotely over the network (AV:N). The attack complexity is low (AC:L), and only low privileges are needed (PR:L). The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges. The impact affects confidentiality and integrity (C:L/I:L) but not availability (A:N). No patches or known exploits are currently available, but the risk remains significant due to the widespread use of WordPress and the plugin's functionality. The vulnerability was published on February 19, 2025, and was reserved on January 16, 2025.

This vulnerability allows attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the context of any user visiting those pages. Potential impacts include theft of session cookies or authentication tokens, enabling account takeover; defacement or manipulation of website content; redirection to malicious sites; and execution of arbitrary actions on behalf of users with elevated privileges. Since WordPress powers a large portion of the web, and WP Wiki Tooltip is used to enhance content with tooltips, many organizations could be exposed. The compromise of user accounts or administrative sessions could lead to broader site control or data breaches. The vulnerability’s ability to affect all visitors to an infected page increases its risk profile, especially for sites with high traffic or sensitive user data. Although exploitation requires contributor-level access, such access is common in collaborative environments, increasing the likelihood of insider threats or compromised accounts being leveraged. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits rapidly once details are public.

Organizations should immediately review their use of the WP Wiki Tooltip plugin and upgrade to a patched version once available. Until a patch is released, administrators should restrict contributor-level access to trusted users only and consider temporarily disabling or removing the plugin to eliminate the attack surface. Implementing Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'wiki' shortcode parameters can provide interim protection. Regularly audit user-generated content for injected scripts and monitor logs for unusual activity. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. Additionally, enforce strong authentication and account monitoring to detect compromised contributor accounts. Educate content contributors about the risks of injecting untrusted code and encourage reporting of suspicious behavior. Finally, maintain up-to-date backups to enable recovery in case of compromise.