f(x) TOC Security & Risk Analysis
wordpress.org/plugins/fx-tocSimple Table Of Contents Plugin. Just add [toc] shortcode in content to display.
Is f(x) TOC Safe to Use in 2026?
Use With Caution
Score 64/100f(x) TOC has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.
The fx-toc plugin v1.1.0 exhibits a generally good security posture based on static analysis, with no critical or high-severity code signals detected. All identified SQL queries utilize prepared statements, and all output is properly escaped, mitigating common vulnerabilities like SQL injection and cross-site scripting within the analyzed code. The absence of file operations, external HTTP requests, and dangerous functions further contributes to its robust internal security.
However, a significant concern arises from the plugin's vulnerability history. It has a known medium-severity CVE related to Cross-site Scripting, which is currently unpatched. This indicates a potential for attackers to exploit this vulnerability to inject malicious scripts into web pages, which could lead to session hijacking, defacement, or other harmful actions. The presence of this single, unpatched vulnerability, even if medium severity, significantly elevates the overall risk profile.
In conclusion, while the code itself demonstrates sound security practices, the existence of an unpatched XSS vulnerability is a critical weakness. Users should be aware that updating to a version that addresses this specific CVE is paramount. The limited attack surface and lack of other detected code-level risks are positive, but the unpatched vulnerability overshadows these strengths, demanding immediate attention and mitigation.
Key Concerns
- Unpatched medium severity CVE (XSS)
f(x) TOC Security Vulnerabilities
CVEs by Year
Severity Breakdown
1 total CVE
f(x) TOC <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
f(x) TOC Code Analysis
Output Escaping
f(x) TOC Attack Surface
Shortcodes 1
WordPress Hooks 3
Maintenance & Trust
f(x) TOC Maintenance & Trust
Maintenance Signals
Community Trust
f(x) TOC Alternatives
Shortcode Table of Contents
shortcode-toc
Display an automated table of contents via shortcode.
Digital Table of Contents
digital-table-of-contents
A powerful and customizable TOC plugin. Effortlessly navigate your content with advanced features and flexible styling.
NanoTOC — Fast Lightweight Table of Contents
nanotoc
Fast, lightweight TOC for WordPress with nested/flat lists, smooth scroll, and optional offset.
Protos TOC Generator
protos-toc-generator
Auto-generates a floating or inline table of contents with anchor links based on headings in your post. Improves readability and SEO.
Simple Sticky TOC
simple-sticky-toc
Lightweight sticky table of contents for mobile and desktop. Automatically generates anchor links for h2–h4 headings. No jQuery.
f(x) TOC Developer Profile
12 plugins · 2K total installs
How We Detect f(x) TOC
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/fx-toc/css/fx-toc.css/wp-content/plugins/fx-toc/js/fx-toc.js/wp-content/plugins/fx-toc/js/fx-toc.jsfx-toc.css?ver=fx-toc.js?ver=HTML / DOM Fingerprints
fx-tocfx-toc-titlefx-toc-listlevel-2level-3level-4level-5level-6+1 morefx_toc_used_namesfx_toc_used_namesfx_toc_sc_unique_names_resetfx_toc_sc_get_unique_namefx_toc_sc_open_levelfx_toc_sc_close_level<div class="fx-toc<h2 class="fx-toc-title">