WordPress issues fixes for two bugs rated medium in its tooltips plugin, including one that can allow bad actors to do anything an admin user would be able to do on a WordPress site. The XSS glitch, rated 5.8 on the CVSS rating system, exists in the plugin s glossary shortcode (also known as [kttg_glossary) The second flaw, a CSRF vulnerability, has a CVSS summary score of 4.3, and exists in Tooltipy’s KTTG Converter feature.
Source: https://threatpost.com/two-bugs-in-wordpress-tooltipy-plugin-patched/132804/