Does Joli Table Of Contents have any unpatched vulnerabilities?

No. All known vulnerabilities in Joli Table Of Contents have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Joli Table Of Contents compatible with WordPress 6.9.4?

According to WordPress.org data, Joli Table Of Contents 2.8.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Joli Table Of Contents compatible with PHP 5.6+?

Joli Table Of Contents requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Joli Table Of Contents updated?

Joli Table Of Contents was last updated on Jan 5, 2026. Frequent updates are generally a positive security signal.

What is Joli Table Of Contents's security score?

Joli Table Of Contents has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Joli Table Of Contents Security & Risk Analysis

wordpress.org/plugins/joli-table-of-contents

The Best Table of Contents Plugin for WordPress. User-friendly. Gutenberg Block. Fast & Highly customizable. Auto or manual insert.

7K active installs v2.8.2 PHP 5.6+ WP 5.0+ Updated Jan 5, 2026

navigationpage-contentstable-of-contentstable-of-contenttoc

A · Safe

CVEs total1

Unpatched0

Last CVEJan 3, 2023

Plugin page Download

Safety Verdict

Is Joli Table Of Contents Safe to Use in 2026?

Generally Safe

Score 100/100

Joli Table Of Contents has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jan 3, 2023Updated 2mo ago

Risk Assessment

The "joli-table-of-contents" v2.8.2 plugin presents a moderate security risk. While it demonstrates some good security practices, such as a decent percentage of SQL queries using prepared statements and a significant number of nonce and capability checks, there are notable areas of concern. The substantial attack surface, with 8 AJAX handlers and 7 of them lacking authentication checks, is a primary risk. Furthermore, the taint analysis reveals 2 high-severity flows, indicating potential for exploitation if data is not handled carefully. The plugin's vulnerability history shows a past medium-severity CVE related to Cross-Site Request Forgery, which is a concerning pattern. Although no CVEs are currently unpatched, the existence of past vulnerabilities, coupled with the current findings of unprotected AJAX handlers and high-severity taint flows, suggests that diligent security practices are not consistently maintained throughout the development lifecycle. Overall, the plugin has strengths in its use of security primitives but is weakened by a large, unprotected attack surface and concerning taint analysis results.

Key Concerns

Unprotected AJAX handlers
High severity taint flows
Output escaping below 70%
Bundled Freemius v1.0 library
Medium severity CVE history

Vulnerabilities

Joli Table Of Contents Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2022-46820medium · 5.4Cross-Site Request Forgery (CSRF)

Joli Table of Contents <= 1.3.9 - Cross-Site Request Forgery

Jan 3, 2023 Patched in 2.0.0 (385d)

Code Analysis

Analyzed Mar 16, 2026

Joli Table Of Contents Code Analysis

Dangerous Functions

Raw SQL Queries

6 prepared

Unescaped Output

680

892 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Freemius1.0

SQL Query Safety

75% prepared8 total queries

Output Escaping

57% escaped1572 total outputs

Data Flows

5 unsanitized

Data Flow Analysis

10 flows5 with unsanitized paths

updatePostTypeSetting (core\Controllers\PostTypeSettingController.php:27)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

7 unprotected

Joli Table Of Contents Attack Surface

Entry Points8

Unprotected7

AJAX Handlers 8

authwp_ajax_joli_toc_handle_v2_noticecore\Hooks.php:92

authwp_ajax_joli_toc_handle_noticecore\Hooks.php:94

authwp_ajax_joli_toc_update_active_post_type_settingcore\Hooks.php:96

authwp_ajax_joli_toc_export_user_settingscore\Hooks.php:98

authwp_ajax_joli_toc_import_user_settingscore\Hooks.php:99

authwp_ajax_fs_toggle_debug_modeincludes\fs\includes\managers\class-fs-debug-manager.php:477

authwp_ajax_joli_toc_handle_v2_noticev1\core\Hooks.php:55

authwp_ajax_joli_toc_handle_noticev1\core\Hooks.php:59

WordPress Hooks 68

actionadmin_noticescore\Controllers\AdminNotices.php:37

actionadmin_noticescore\Controllers\AdminNotices.php:43

filtersafe_style_csscore\Controllers\Callbacks\SettingsCallbacks.php:16

actionadmin_noticescore\Controllers\NoticesFreeController.php:40

actionadmin_noticescore\Controllers\NoticesFreeController.php:46

actioninitcore\Hooks.php:77

actioninitcore\Hooks.php:78

actioninitcore\Hooks.php:80

actioninitcore\Hooks.php:83

actioninitcore\Hooks.php:85

actionadmin_initcore\Hooks.php:88

actionadmin_menucore\Hooks.php:89

actionadmin_enqueue_scriptscore\Hooks.php:90

actionrest_api_initcore\Hooks.php:101

actioninitcore\Hooks.php:144

actionwp_enqueue_scriptscore\Hooks.php:146

actioninitcore\Hooks.php:149

filterthe_contentcore\Hooks.php:151

filterthe_contentcore\Hooks.php:152

filterthe_contentcore\Hooks.php:153

actionplugins_loadedcore\Hooks.php:161

filterrank_math/researches/toc_pluginscore\Integrations\RankMath.php:11

filterconnect_message_on_updatefs-helpers.php:22

actionafter_uninstallfs-helpers.php:34

filterplugin_iconfs-helpers.php:46

actionadmin_footerincludes\fs\includes\class-fs-logger.php:111

actionwp_footerincludes\fs\includes\class-fs-logger.php:113

filterplugins_apiincludes\fs\includes\class-fs-plugin-updater.php:85

actionadmin_headincludes\fs\includes\class-fs-plugin-updater.php:108

actionadmin_footerincludes\fs\includes\class-fs-plugin-updater.php:110

filterhttp_request_host_is_externalincludes\fs\includes\class-fs-plugin-updater.php:114

filterupgrader_post_installincludes\fs\includes\class-fs-plugin-updater.php:122

filterupgrader_pre_installincludes\fs\includes\class-fs-plugin-updater.php:125

filterupgrader_source_selectionincludes\fs\includes\class-fs-plugin-updater.php:126

filterwp_prepare_themes_for_jsincludes\fs\includes\class-fs-plugin-updater.php:129

actionadmin_footerincludes\fs\includes\class-fs-plugin-updater.php:179

filterpre_set_site_transient_update_pluginsincludes\fs\includes\class-fs-plugin-updater.php:294

filterpre_set_site_transient_update_themesincludes\fs\includes\class-fs-plugin-updater.php:299

filterupgrader_source_selectionincludes\fs\includes\class-fs-plugin-updater.php:1388

filterdebug_bar_panelsincludes\fs\includes\debug\debug-bar-start.php:51

filterdebug_bar_statusesincludes\fs\includes\debug\debug-bar-start.php:52

actioninstall_plugins_pre_plugin-informationincludes\fs\includes\fs-plugin-info-dialog.php:66

filterfs_plugins_apiincludes\fs\includes\fs-plugin-info-dialog.php:69

actionadmin_footerincludes\fs\includes\managers\class-fs-admin-notice-manager.php:217

actionnetwork_admin_noticesincludes\fs\includes\managers\class-fs-admin-notice-manager.php:396

actionadmin_noticesincludes\fs\includes\managers\class-fs-admin-notice-manager.php:397

actionadmin_enqueue_scriptsincludes\fs\includes\managers\class-fs-admin-notice-manager.php:400

actionadmin_post_fs_clone_resolutionincludes\fs\includes\managers\class-fs-clone-manager.php:145

actionadmin_footerincludes\fs\includes\managers\class-fs-clone-manager.php:163

actionfs_debug_turn_off_logging_hookincludes\fs\includes\managers\class-fs-debug-manager.php:492

actionhttp_api_curlincludes\fs\includes\sdk\FreemiusWordPress.php:482

actionadmin_footerincludes\fs\templates\account.php:93

actionadmin_noticesv1\core\Controllers\AdminNotices.php:32

actionadmin_noticesv1\core\Controllers\NoticesFreeController.php:40

actionadmin_noticesv1\core\Controllers\NoticesFreeController.php:46

actioninitv1\core\Hooks.php:54

actioninitv1\core\Hooks.php:58

actionadmin_enqueue_scriptsv1\core\Hooks.php:62

actionadmin_menuv1\core\Hooks.php:63

actionadmin_initv1\core\Hooks.php:64

actioninitv1\core\Hooks.php:73

actioninitv1\core\Hooks.php:76

filterthe_contentv1\core\Hooks.php:78

actionplugins_loadedv1\core\Hooks.php:85

filterrank_math/researches/toc_pluginsv1\core\Integrations\RankMath.php:11

filterconnect_message_on_updatev1\fs-helpers.php:21

actionafter_uninstallv1\fs-helpers.php:33

filterplugin_iconv1\fs-helpers.php:45

Scheduled Events 1

fs_debug_turn_off_logging_hook

Maintenance & Trust

Joli Table Of Contents Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 5, 2026

PHP min version5.6

Downloads125K

Community Trust

Rating98/100

Number of ratings40

Active installs7K

Alternatives

Joli Table Of Contents Alternatives

LuckyWP Table of Contents

luckywp-table-of-contents

Creates SEO-friendly table of contents for your posts/pages. Works automatically or manually (via shortcode, Gutenberg block or widget).

100K 5 CVEs

Rich Table of Contents

rich-table-of-content

RTOC is a table of contents generation plugin from Japan that allows anyone to easily create a table of contents. Equipped with the functions of the c …

20K 2 CVEs

Heroic Table of Contents

heroic-table-of-contents

100

Heroic Table of Contents is the easiest way to add a table of contents to your site.

5K No CVEs

CM Table Of Contents – Clear navigation for better content discovery

cm-table-of-content

Create and display a table of contents for your posts and pages. Improve navigation with an easy-to-use TOC generator.

200 2 CVEs

Developer Profile

Joli Table Of Contents Developer Profile

WPJoli

4 plugins · 8K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

194 days

View full developer profile

Detection Fingerprints

How We Detect Joli Table Of Contents

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/joli-table-of-contents/assets/public/css/wpjoli-joli-table-of-contents.css/wp-content/plugins/joli-table-of-contents/assets/admin/css/joli-toc-admin.css/wp-content/plugins/joli-table-of-contents/assets/admin/js/joli-toc-admin.js/wp-content/plugins/joli-table-of-contents/vendor/wp-color-picker-alpha/wp-color-picker-alpha.min.js/wp-content/plugins/joli-table-of-contents/assets/admin/js/joli-toc-admin-notices.js/wp-content/plugins/joli-table-of-contents/gutenberg/blocks/joli-table-of-contents/index.js/wp-content/plugins/joli-table-of-contents/gutenberg/admin/wpjoli-joli-toc-sidebar/index.asset.php

Script Paths

/wp-content/plugins/joli-table-of-contents/assets/admin/js/joli-toc-admin.js/wp-content/plugins/joli-table-of-contents/vendor/wp-color-picker-alpha/wp-color-picker-alpha.min.js/wp-content/plugins/joli-table-of-contents/assets/admin/js/joli-toc-admin-notices.js/wp-content/plugins/joli-table-of-contents/gutenberg/blocks/joli-table-of-contents/index.js

Version Parameters

/wp-content/plugins/joli-table-of-contents/assets/public/css/wpjoli-joli-table-of-contents.css?ver=/wp-content/plugins/joli-table-of-contents/assets/admin/css/joli-toc-admin.css?ver=/wp-content/plugins/joli-table-of-contents/assets/admin/js/joli-toc-admin.js?ver=/wp-content/plugins/joli-table-of-contents/assets/admin/js/joli-toc-admin-notices.js?ver=/wp-content/plugins/joli-table-of-contents/gutenberg/blocks/joli-table-of-contents/index.js?ver=

HTML / DOM Fingerprints

CSS Classes

joli-toc-sidebarjoli-toc-settings

Data Attributes

data-joli-toc-settings

JS Globals

jtocAdminjtocAdminNotice

FAQ