MEDIUM
vinaysankhyan
CVE published 2026-05-27
CVE-2026-8894
A stored cross-site scripting (XSS) vulnerability exists in the iWR Tooltip WordPress plugin, affecting versions up to and including 1.0. The flaw resides in the plugin's `iwrtooltip` shortcode handler, where the `title` attribute is concatenated directly into HTML output without proper escaping via `esc_attr()` or equivalent sanitization. This allows authenticated attackers with contributor-level privile [truncated]