lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 12 Jun 2018 18:39:01 +0000
From: dxw Security <>
Subject: [FD] Reflected XSS in Tooltipy (tooltips for WP) could allow
	anybody to do almost anything an admin can (WordPress plugin)

Software: Tooltipy (tooltips for WP)
Version: 5.0
Advisory report:
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Reflected XSS in Tooltipy (tooltips for WP) could allow anybody to do almost anything an admin can

Tootipy contains reflected XSS in the [kttg_glossary] shortcode meaning that admin users’ browsers can be hijacked by anybody who sends them a link. The hijacked browser can be made to do almost anything an admin user can normally do.

Proof of concept

Create a page containing the [kttg_glossary] shortcode
Visit the new page, and add the following to the end of the URL: ?cat=\'><script>alert(1)</script>
You’ll see an alert in browsers without XSS prevention such as Firefox


Upgrade to version 5.1 or later.

Disclosure policy
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy:

Please contact us on to acknowledge this report if you received it via a third party (for example, as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.


2018-03-29: Discovered
2018-04-10: Reported to vendor via email (first attempt)
2018-04-30: Asked if they’d received the email, via Facebook private message (second attempt)
2018-05-03: Reported again via contact form (third attempt)
2018-05-18: Reported to
2018-05-18: WordPress plugin team disabled downloads of the plugin
2018-05-21: Vendor reported a fix has been made for the bug (first contact from vendor)
2018-06-05: Updated version of plugin is now available for download on
2018-06-12: Advisory published

Discovered by dxw:
Tom Adams
Please visit for more information.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists