Hi, I hope this message finds you well and that you’re enjoying happy days with your family. Thank you for the report—we take security seriously and will address this as a priority.
Our plugin does not accept any user input on the frontend; content input is restricted to the WordPress admin area. We follow WordPress security standards by using sanitize_* functions, esc_* helpers, and context-aware escaping to enhance code security.
We will review the report and audit all input paths again. We plan to release a new version with the fix and publish a security advisory, including a changelog and upgrade notes.
We appreciate your report and will fix the issue as soon as possible. Thanks, and have a wonderful day with your family!
Best regards,
Support
Hi @babylon1999,
Thanks for the report 🙂
We Fixed the Issue: Stored Cross-Site Scripting in 4 Hours
Our developers sacrificed sleep, working through the night to review our code, and we have released WordPress Tooltips 10.8.7 to enhance plugin security.
1. Enhancements to the Language Settings Panel
2. Improvements to the Tooltip Import File
You can find our detailed document at:
tooltips.org/we-fixed-the-issue-stored-cross-site-scripting-in-4-hours-securing-your-wordpress-tooltips-and-language-settings-best-practices-for-file-uploads-data-sanitization-and-user-input-handling/
Thanks, have a blessed day with your family 🙂
Best Regards,
Support
