Stored Cross-Site Scripting Vulnerability in iWR Tooltip Plugin for WordPress
CVE-2026-8894

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Iwr Tooltip
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-8894?

The iWR Tooltip plugin for WordPress suffers from a stored cross-site scripting vulnerability that affects versions up to and including 1.0. This flaw arises from insufficient sanitization of user inputs, specifically in the iwrtooltip shortcode. The title attribute within this shortcode is not properly escaped, allowing authenticated attackers with contributor-level access to inject malicious scripts into web pages. These scripts execute whenever another user visits the altered page, posing significant risks to site integrity and user security.

Affected Version(s)

iWR Tooltip 0 <= 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/iwr-tooltip/ta...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 18, 2026

Credit

Muhammad Yudha - DJ

CVE-2026-8894 Data

JSON