Reflected XSS in Tooltipy (tooltips for WP) could allow anybody to do almost anything an admin can


Last revised:

Tootipy contains reflected XSS in the [kttg_glossary] shortcode meaning that admin users’ browsers can be hijacked by anybody who sends them a link. The hijacked browser can be made to do almost anything an admin user can normally do.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  • Create a page containing the [kttg_glossary] shortcode
  • Visit the new page, and add the following to the end of the URL: ?cat='><script>alert(1)</script>
  • You’ll see an alert in browsers without XSS prevention such as Firefox


Advisory timeline

  • 2018-03-29: Discovered
  • 2018-04-10: Reported to vendor via email (first attempt)
  • 2018-04-30: Asked if they’d received the email, via Facebook private message (second attempt)
  • 2018-05-03: Reported again via contact form (third attempt)
  • 2018-05-18: Reported to
  • 2018-05-18: WordPress plugin team disabled downloads of the plugin
  • 2018-05-21: Vendor reported a fix has been made for the bug (first contact from vendor)
  • 2018-06-05: Updated version of plugin is now available for download on
  • 2018-06-12: Advisory published
  • 2018-06-12: CVE requested
  • 2018-06-23: CVE assigned

Mitigation/further actions

Upgrade to version 5.1 or later.