The vulnerability CVE-2025-46532 affects the Haris Zulfiqar Tooltip WordPress plugin up to version 1.0.1. It is a DOM-based cross-site scripting (XSS) flaw caused by improper neutralization of input during web page generation. This allows an attacker with low privileges and requiring user interaction to inject malicious scripts that can execute in the context of the victim's browser. The CVSS 3.1 base score is 6.5 (medium severity) with network attack vector, low attack complexity, privileges required, user interaction needed, and impacts on confidentiality, integrity, and availability classified as low.

Successful exploitation can lead to execution of arbitrary scripts in the context of the affected web application, potentially allowing an attacker to steal sensitive information, manipulate content, or disrupt availability to a limited extent. The impact is limited by the requirement for user interaction and privileges.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the affected plugin version to mitigate risk. Monitor vendor channels for updates and apply patches promptly once available.