CVE-2025-23669: 
WordPress vulnerability analysis and mitigation

The WordPress WP Smart Tooltip plugin version 1.0.0 and below contains a Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-23669. The vulnerability was initially reported by SOPROBRO on October 29, 2024, and was publicly disclosed on January 16, 2025. This security issue affects websites running the vulnerable versions of the WP Smart Tooltip plugin (Patchstack).

The vulnerability has been assigned a CVSS score of 6.5, indicating a medium severity level. The vulnerability type is classified as Cross-Site Scripting (XSS) and falls under the OWASP Top 10 category A3: Injection. The issue can be exploited by users with Subscriber-level privileges or higher (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads into the affected website. These malicious scripts would then be executed when visitors access the compromised site (Patchstack).

While no official patch is currently available, Patchstack has issued a virtual patch to mitigate this vulnerability. The virtual patch works by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement mitigation measures immediately (Patchstack).