WP-Safety

Easy Table of Contents Security & Risk Analysis

wordpress.org/plugins/easy-table-of-contents

Adds a user friendly and fully automatic way to create and display a table of contents generated from the page content.

600K active installs v2.0.82.2 PHP 5.6.20+ WP 5.0+ Updated Mar 26, 2026
table-of-contentstoc
95
A · Safe
CVEs total6
Unpatched0
Last CVEFeb 18, 2026
Plugin page Download
Safety Verdict

Is Easy Table of Contents Safe to Use in 2026?

Generally Safe

Score 95/100

Easy Table of Contents has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

6 known CVEsLast CVE: Feb 18, 2026Updated 1mo ago
Risk Assessment

The static analysis of easy-table-of-contents v2.0.81 reveals a generally strong security posture with good practices in place. Notably, all identified AJAX handlers and REST API routes appear to have authorization checks, and 100% of SQL queries utilize prepared statements. The plugin also demonstrates robust output escaping, with 94% of outputs properly handled, and a significant number of nonce and capability checks are present. File operations are absent, and external HTTP requests are limited to one, further reducing the attack surface.

However, the plugin's vulnerability history presents a significant concern. With a total of 5 known CVEs, all of which were medium severity, and a recent vulnerability dated 2026-02-18, this indicates a recurring pattern of security weaknesses. The common vulnerability types, 'Cross-site Scripting' and 'Missing Authorization,' suggest that input validation and access control might be areas that require consistent attention. While the current version appears to be free of unpatched vulnerabilities, the historical prevalence suggests potential for future undiscovered issues or regressions.

In conclusion, while the current code analysis shows positive security indicators and a well-structured approach to handling sensitive operations, the historical vulnerability data warrants caution. The plugin has a track record of security flaws, even if they were medium severity. Users should remain vigilant and ensure timely updates when new versions are released, as the past suggests a tendency for vulnerabilities to emerge.

Key Concerns

  • History of medium severity CVEs
  • Common vulnerability types: XSS and Missing Auth
  • Large number of entry points (19)
Vulnerabilities
6 published

Easy Table of Contents Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
3 CVEs in 2024
2024
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
6

6 total CVEs

CVE-2025-13738medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Table of Contents <= 2.0.78 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 18, 2026 Patched in 2.0.79 (1d)
CVE-2026-32343medium · 4.3Cross-Site Request Forgery (CSRF)

Easy Table of Contents <= 2.0.80 - Cross-Site Request Forgery

Feb 11, 2026 Patched in 2.0.81 (64d)
CVE-2024-7082medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Table of Contents <= 2.0.67.1 - Authenticated (Editor+) Stored Cross-Site Scripting

Jul 16, 2024 Patched in 2.0.68 (57d)
CVE-2024-6334medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Table of Contents <= 2.0.67 - Authenticated (Editor+) Stored Cross-Site Scripting

Jun 18, 2024 Patched in 2.0.67.1 (29d)
CVE-2024-5573medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Table of Contents <= 2.0.65 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jun 5, 2024 Patched in 2.0.66 (22d)
CVE-2023-25469medium · 5.4Missing Authorization

Easy Table of Contents <= 2.0.45.2 - Missing Authorization via eztoc_reset_options_to_default

Mar 21, 2023 Patched in 2.0.46 (308d)
Version History

Easy Table of Contents Release Timeline

v2.0.82.2Current9 files changed
v2.0.82.14 files changed
v2.0.8210 files changed
v2.0.816 files changed
v2.0.801 CVE14 files changed
CVE-2026-32343
v2.0.79.21 CVE5 files changed
CVE-2026-32343
v2.0.79.11 CVE4 files changed
CVE-2026-32343
v2.0.791 CVE23 files changed
CVE-2026-32343
v2.0.782 CVEs14 files changed
CVE-2026-32343 CVE-2025-13738
v2.0.772 CVEs11 files changed
CVE-2026-32343 CVE-2025-13738
v2.0.762 CVEs9 files changed
CVE-2026-32343 CVE-2025-13738
v2.0.752 CVEs8 files changed
CVE-2026-32343 CVE-2025-13738
v2.0.742 CVEs14 files changed
CVE-2026-32343 CVE-2025-13738
v2.0.732 CVEs16 files changed
CVE-2026-32343 CVE-2025-13738
v2.0.722 CVEs13 files changed
CVE-2026-32343 CVE-2025-13738
v2.0.712 CVEs12 files changed
CVE-2026-32343 CVE-2025-13738
v2.0.702 CVEs14 files changed
CVE-2026-32343 CVE-2025-13738
v2.0.69.12 CVEs4 files changed
CVE-2026-32343 CVE-2025-13738
v2.0.692 CVEs18 files changed
CVE-2026-32343 CVE-2025-13738
v2.0.68.12 CVEs
CVE-2026-32343 CVE-2025-13738
Code Analysis
Analyzed Mar 16, 2026

Easy Table of Contents Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
3 prepared
Unescaped Output
42
688 escaped
Nonce Checks
7
Capability Checks
10
File Operations
0
External Requests
1
Bundled Libraries
0

SQL Query Safety

100% prepared3 total queries

Output Escaping

94% escaped730 total outputs
Attack Surface

Easy Table of Contents Attack Surface

Entry Points19
Unprotected0

AJAX Handlers 6

authwp_ajax_eztoc_send_query_messageincludes\class-eztoc-admin.php:43
authwp_ajax_eztoc_migrate_tocplusincludes\class-eztoc-admin.php:44
authwp_ajax_eztoc_reset_options_to_defaultincludes\class-eztoc-option.php:2814
authwp_ajax_eztoc_subscribe_newsletterincludes\class-eztoc-pointers.php:10
authwp_ajax_eztoc_send_feedbackincludes\helper-function.php:113
authwp_ajax_eztoc_export_all_settingsincludes\inc.functions.php:152

Shortcodes 13

[ez-toc] easy-table-of-contents.php:181
[ez-toc-widget-sticky] easy-table-of-contents.php:187
[ez-toc-sitemap] includes\class-eztoc-sitemap.php:20
[ez-toc-sitemap-pages] includes\class-eztoc-sitemap.php:21
[ez-toc-sitemap-categories] includes\class-eztoc-sitemap.php:22
[ez-toc-sitemap-posts] includes\class-eztoc-sitemap.php:23
[sitemap] includes\class-eztoc-sitemap.php:26
[sitemap_pages] includes\class-eztoc-sitemap.php:27
[sitemap_categories] includes\class-eztoc-sitemap.php:28
[sitemap_posts] includes\class-eztoc-sitemap.php:29
[no-ez-toc] includes\inc.functions.php:564
[no-toc] includes\inc.functions.php:586
[vc_toggle] includes\inc.plugin-compatibility.php:531
WordPress Hooks 113
actionadmin_headeasy-table-of-contents.php:161
actionwp_enqueue_scriptseasy-table-of-contents.php:162
actionwp_enqueue_scriptseasy-table-of-contents.php:163
actionwp_enqueue_scriptseasy-table-of-contents.php:164
actionwp_headeasy-table-of-contents.php:165
actionwp_enqueue_scriptseasy-table-of-contents.php:166
filterthe_contenteasy-table-of-contents.php:170
filterilj_get_the_contenteasy-table-of-contents.php:174
filterampforwp_modify_the_contenteasy-table-of-contents.php:177
filterterm_descriptioneasy-table-of-contents.php:179
filterwoocommerce_taxonomy_archive_description_raweasy-table-of-contents.php:180
actionwp_footereasy-table-of-contents.php:188
filterwpseo_schema_grapheasy-table-of-contents.php:189
filterget_the_archive_descriptioneasy-table-of-contents.php:190
actiontemplate_redirecteasy-table-of-contents.php:195
filtermce_external_pluginseasy-table-of-contents.php:2081
filtermce_buttonseasy-table-of-contents.php:2082
actionplugins_loadedeasy-table-of-contents.php:2311
actionadmin_headincludes\class-eztoc-admin.php:36
actionadmin_initincludes\class-eztoc-admin.php:38
actionadmin_menuincludes\class-eztoc-admin.php:39
actioninitincludes\class-eztoc-admin.php:40
actionadmin_enqueue_scriptsincludes\class-eztoc-admin.php:42
actionadmin_initincludes\class-eztoc-option.php:2812
filterez_toc_settings_stickyincludes\class-eztoc-option.php:2818
filtereztoc_localize_filterincludes\class-eztoc-pointers.php:9
filterstrip_shortcodes_tagnamesincludes\class-eztoc-post.php:215
filterthe_contentincludes\class-eztoc-post.php:237
actionadmin_enqueue_scriptsincludes\class-eztoc-widget.php:32
actionadmin_footer-widgets.phpincludes\class-eztoc-widget.php:33
actionwidgets_initincludes\class-eztoc-widget.php:611
actionadmin_enqueue_scriptsincludes\class-eztoc-widgetsticky.php:35
actionadmin_footer-widgets.phpincludes\class-eztoc-widgetsticky.php:36
actionwidgets_initincludes\class-eztoc-widgetsticky.php:815
filteradmin_footerincludes\helper-function.php:43
actionadmin_enqueue_scriptsincludes\helper-function.php:125
actionadmin_enqueue_scriptsincludes\helper-function.php:131
actionadmin_noticesincludes\inc.functions.php:145
actioninitincludes\inc.functions.php:180
actionshutdownincludes\inc.functions.php:186
filtereztoc_wordpress_final_outputincludes\inc.functions.php:200
filterez_toc_modify_process_page_contentincludes\inc.functions.php:225
filtereztoc_shortcode_final_toc_htmlincludes\inc.functions.php:546
filtereztoc_autoinsert_final_toc_htmlincludes\inc.functions.php:547
filterez_toc_maybe_apply_the_content_filterincludes\inc.functions.php:566
filterez_toc_modify_process_page_contentincludes\inc.functions.php:573
filterez_toc_maybe_apply_the_content_filterincludes\inc.functions.php:588
filterez_toc_modify_process_page_contentincludes\inc.functions.php:595
actionadmin_initincludes\inc.functions.php:604
filterez_toc_allowable_tagsincludes\inc.functions.php:672
filterez_toc_titleincludes\inc.functions.php:692
filterrank_math/researches/toc_pluginsincludes\inc.plugin-compatibility.php:23
filterez_toc_strip_shortcodes_tagnamesincludes\inc.plugin-compatibility.php:38
filterez_toc_strip_shortcodes_tagnamesincludes\inc.plugin-compatibility.php:76
filterez_toc_exclude_by_selectorincludes\inc.plugin-compatibility.php:96
filterez_toc_exclude_by_selectorincludes\inc.plugin-compatibility.php:112
filterez_toc_maybe_apply_the_content_filterincludes\inc.plugin-compatibility.php:129
filterez_toc_maybe_apply_the_content_filterincludes\inc.plugin-compatibility.php:152
filterez_toc_strip_shortcodes_tagnamesincludes\inc.plugin-compatibility.php:173
actionet_pb_admin_excluded_shortcodesincludes\inc.plugin-compatibility.php:192
filteret_builder_render_layoutincludes\inc.plugin-compatibility.php:219
actionafter_setup_themeincludes\inc.plugin-compatibility.php:233
filteruncode_single_content_final_outputincludes\inc.plugin-compatibility.php:238
filterez_toc_apply_filter_status_manuallyincludes\inc.plugin-compatibility.php:244
filterez_toc_exclude_by_selectorincludes\inc.plugin-compatibility.php:261
filterez_toc_exclude_by_selectorincludes\inc.plugin-compatibility.php:276
filterez_toc_exclude_by_selectorincludes\inc.plugin-compatibility.php:291
filterez_toc_exclude_by_selectorincludes\inc.plugin-compatibility.php:307
filterez_toc_exclude_by_selectorincludes\inc.plugin-compatibility.php:322
filterez_toc_exclude_by_selectorincludes\inc.plugin-compatibility.php:338
filterget_the_excerptincludes\inc.plugin-compatibility.php:369
filterget_the_excerptincludes\inc.plugin-compatibility.php:370
filterez_toc_maybe_apply_the_content_filterincludes\inc.plugin-compatibility.php:371
filterez_toc_strip_shortcodes_tagnamesincludes\inc.plugin-compatibility.php:373
actionelementor/initincludes\inc.plugin-compatibility.php:457
filterez_toc_maybe_apply_the_content_filterincludes\inc.plugin-compatibility.php:468
filterfl_builder_layout_dataincludes\inc.plugin-compatibility.php:506
actionpoka_before_mainincludes\inc.plugin-compatibility.php:598
actionpoka_before_mainincludes\inc.plugin-compatibility.php:602
actionpoka_before_mainincludes\inc.plugin-compatibility.php:604
filterthe_contentincludes\inc.plugin-compatibility.php:606
actionpoka_after_mainincludes\inc.plugin-compatibility.php:608
actionpoka_after_mainincludes\inc.plugin-compatibility.php:612
actionpoka_after_mainincludes\inc.plugin-compatibility.php:614
filterthe_contentincludes\inc.plugin-compatibility.php:616
filterez_toc_regex_filterationincludes\inc.plugin-compatibility.php:621
filterez_toc_regex_filterationincludes\inc.plugin-compatibility.php:629
filterez_toc_extract_headings_contentincludes\inc.plugin-compatibility.php:642
filterez_toc_modify_process_page_contentincludes\inc.plugin-compatibility.php:662
filterez_toc_modify_process_page_contentincludes\inc.plugin-compatibility.php:683
filterez_toc_exclude_by_selectorincludes\inc.plugin-compatibility.php:700
filterez_toc_sidebar_has_toc_filterincludes\inc.plugin-compatibility.php:717
filterez_toc_sidebar_has_toc_filterincludes\inc.plugin-compatibility.php:742
filterez_toc_sidebar_has_toc_filterincludes\inc.plugin-compatibility.php:767
filtereztoc_wordpress_final_outputincludes\inc.plugin-compatibility.php:788
filterez_toc_modify_process_page_contentincludes\inc.plugin-compatibility.php:858
filterez_toc_modify_process_page_contentincludes\inc.plugin-compatibility.php:873
filterez_toc_modify_process_page_contentincludes\inc.plugin-compatibility.php:893
filterez_toc_sidebar_has_toc_filterincludes\inc.plugin-compatibility.php:931
filtereztoc_modify_the_contentincludes\inc.plugin-compatibility.php:954
filterez_toc_pro_inline_cssincludes\inc.plugin-compatibility.php:997
actionwp_enqueue_scriptsincludes\inc.plugin-compatibility.php:1048
filterez_toc_apply_filter_status_manuallyincludes\inc.plugin-compatibility.php:1057
filterez_toc_table_heading_title_anchorincludes\inc.plugin-compatibility.php:1086
filterez_toc_content_heading_titleincludes\inc.plugin-compatibility.php:1087
filterez_toc_content_heading_title_anchorincludes\inc.plugin-compatibility.php:1088
filterez_toc_apply_filter_status_manuallyincludes\inc.plugin-compatibility.php:1102
filterez_toc_strip_shortcodes_with_inner_contentincludes\inc.plugin-compatibility.php:1118
filterwp_kses_allowed_htmlincludes\inc.plugin-compatibility.php:1162
filterez_toc_modify_process_page_contentincludes\inc.plugin-compatibility.php:1174
actiontemplate_redirectincludes\inc.plugin-compatibility.php:1190
actionwp_footerincludes\inc.plugin-compatibility.php:1277
filterez_toc_apply_filter_status_manuallyincludes\inc.plugin-compatibility.php:1369
Maintenance & Trust

Easy Table of Contents Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 26, 2026
PHP min version5.6.20
Downloads17.8M

Community Trust

Rating88/100
Number of ratings217
Active installs600K
Alternatives

Easy Table of Contents Alternatives

Table of Contents Plus

Table of Contents Plus

table-of-contents-plus

A
89

A powerful yet user friendly plugin that automatically creates a table of contents. Can also output a sitemap listing all pages and categories.

200K 5 CVEs
LuckyWP Table of Contents

LuckyWP Table of Contents

luckywp-table-of-contents

A
89

Creates SEO-friendly table of contents for your posts/pages. Works automatically or manually (via shortcode, Gutenberg block or widget).

100K 5 CVEs
Rich Table of Contents

Rich Table of Contents

rich-table-of-content

A
91

RTOC is a table of contents generation plugin from Japan that allows anyone to easily create a table of contents. Equipped with the functions of the c &hellip;

20K 2 CVEs
SimpleTOC – Table of Contents Block

SimpleTOC – Table of Contents Block

simpletoc

A
100

SEO-friendly Table of Contents Gutenberg block. No JavaScript or CSS by default.

10K No CVEs
Table Of Contents Block

Table Of Contents Block

table-of-contents-block

A
92

Automatically Add Table of Contents Block for your WordPress Posts & Pages

10K No CVEs
Developer Profile

Easy Table of Contents Developer Profile

Magazine3

14 plugins · 739K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
317 days
View full developer profile
Detection Fingerprints

How We Detect Easy Table of Contents

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/easy-table-of-contents/build/css/frontend.min.css/wp-content/plugins/easy-table-of-contents/build/js/frontend.min.js/wp-content/plugins/easy-table-of-contents/build/css/backend.min.css/wp-content/plugins/easy-table-of-contents/build/js/backend.min.js/wp-content/plugins/easy-table-of-contents/css/frontend.css/wp-content/plugins/easy-table-of-contents/css/backend.css
Script Paths
/wp-content/plugins/easy-table-of-contents/build/js/frontend.min.js/wp-content/plugins/easy-table-of-contents/build/js/backend.min.js/wp-content/plugins/easy-table-of-contents/js/frontend.js/wp-content/plugins/easy-table-of-contents/js/backend.js
Version Parameters
easy-table-of-contents/build/css/frontend.min.css?ver=easy-table-of-contents/build/js/frontend.min.js?ver=easy-table-of-contents/build/css/backend.min.css?ver=easy-table-of-contents/build/js/backend.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
eztoc-widgeteztoc-widget-stickyeztoc-scroll-smootheztoc-sticky-naveztoc-containereztoc-single-headereztoc-single-footereztoc-btn-label
HTML Comments
<!-- Easy Table of Contents --><!-- /Easy Table of Contents -->
Data Attributes
data-eztoc-iddata-eztoc-parent-iddata-eztoc-leveldata-eztoc-headingdata-eztoc-slugdata-eztoc-order
JS Globals
eztocez_toc_params
REST Endpoints
/wp-json/eztoc/v1/settings
Shortcode Output
[ez-toc][ez-toc-widget-sticky][toc]
FAQ

Frequently Asked Questions about Easy Table of Contents