CVE-2025-32180: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-32180) was discovered in QuanticaLabs CSS3 Tooltips for WordPress plugin, affecting versions through 1.8. The vulnerability was identified by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity and was publicly disclosed on May 16, 2025 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 base score of 4.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, low privileges required, no user interaction needed, unchanged scope, with potential impact on integrity but no impact on confidentiality or availability (Wiz).

The vulnerability allows an unprivileged user to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. While the specific impact varies case by case, the overall severity is considered low (Patchstack).

Currently, there is no official fix available for this vulnerability. The issue affects CSS3 Tooltips for WordPress versions up to and including 1.8 (Wiz).