Fix CVE-2025-48316: Stored XSS vulnerability (v1.6.7)#9
Open
3L1AS wants to merge 1 commit into
Open
Conversation
- Sanitize and with wp_kses_post() before output to
prevent injection of dangerous HTML (script tags, event handlers)
- Escape TinyMCE dialog inputs to prevent shortcode attribute breakout
- Sanitize admin CSS textarea with wp_strip_all_tags()
- Bump version to 1.6.7
The Stored XSS vulnerability allowed any user with posting privileges
to inject malicious JavaScript via tooltip shortcode attributes. The
attack chain: shortcode attribute -> esc_attr() (encodes for title
attribute) -> jQuery .attr('title') (decodes back) -> .html(tip)
(injects raw HTML into DOM -> script execution).
Fix: Apply wp_kses_post() server-side to strip dangerous tags before
the content reaches the HTML output, breaking the exploit chain.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fix: CVE-2025-48316 — Stored XSS
Vulnerability
CVE-2025-48316: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) allows Stored XSS via the tooltip shortcode. Affects all versions through 1.6.6.
Attack Chain
Any user with posting privileges (including contributors) could inject malicious JavaScript:
[tooltip tip="<img src=x onerror=alert(1)>"]text[/tooltip]<abbr title='<img src=x onerror=alert(1)>' rel='tooltip'>text</abbr>(
esc_attr()encodes for the attribute context, but the data is still stored)tip = target.attr('title')— jQuery auto-decodes HTML entities back to raw HTMLtooltip.html(tip)— injects<img onerror>into the DOM → XSS executesWhat Changed
responsive-tooltip.phpwp_kses_post()to$tipand$contentbefore output — strips<script>, event handlers (onerror,onload),javascript:URLs, while preserving safe formatting HTMLresponsive-tooltip-tinyMCE.js"→",]→],[→[in dialog inputs to prevent shortcode attribute breakoutresponsive-tooltip-admin-page.phpwp_strip_all_tags()to CSS textarea input before writing to filereadme.txtWhy This Fixes It
The
wp_kses_post()call strips dangerous HTML at render time, before the content reaches the page. Even if malicious content is stored in the database, it is sanitized before output. After jQuery decodes thetitleattribute and.html()injects it, only safe formatting tags (<b>,<i>,<em>,<strong>,<br>) remain.Backward Compatibility
<b>,<i>,<em>,<strong>,<br>) is preserved — the plugin's HTML formatting feature continues to work<script>, event handlers,javascript:URLs) is strippedReferences