Does LuckyWP Table of Contents have any unpatched vulnerabilities?

No. All known vulnerabilities in LuckyWP Table of Contents have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is LuckyWP Table of Contents compatible with WordPress 6.7.5?

According to WordPress.org data, LuckyWP Table of Contents 2.1.14 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is LuckyWP Table of Contents compatible with PHP 5.6.20+?

LuckyWP Table of Contents requires PHP 5.6.20 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is LuckyWP Table of Contents updated?

LuckyWP Table of Contents was last updated on Apr 16, 2025. Frequent updates are generally a positive security signal.

What is LuckyWP Table of Contents's security score?

LuckyWP Table of Contents has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

LuckyWP Table of Contents Security & Risk Analysis

wordpress.org/plugins/luckywp-table-of-contents

Creates SEO-friendly table of contents for your posts/pages. Works automatically or manually (via shortcode, Gutenberg block or widget).

100K active installs v2.1.14 PHP 5.6.20+ WP 4.7+ Updated Apr 16, 2025

linksnavigationseotable-of-contentstoc

A · Safe

CVEs total5

Unpatched0

Last CVEApr 2, 2025

Plugin page Download

Safety Verdict

Is LuckyWP Table of Contents Safe to Use in 2026?

Generally Safe

Score 97/100

LuckyWP Table of Contents has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Apr 2, 2025Updated 11mo ago

Risk Assessment

The luckywp-table-of-contents plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and incorporating nonce checks and capability checks. The absence of dangerous functions, file operations, and external HTTP requests is also a strength. However, a significant concern arises from the large attack surface presented by 11 unprotected AJAX handlers. While taint analysis shows no critical or high severity unsanitized flows, the presence of two flows with unsanitized paths is a potential area of risk that warrants attention, especially given the unprotected entry points.

The plugin's vulnerability history reveals a concerning pattern of 5 medium-severity Cross-Site Scripting (XSS) vulnerabilities. Although all historical CVEs are currently patched, this trend suggests a recurring weakness in input sanitization and output escaping, which is further supported by the static analysis showing only 5% of outputs are properly escaped. This low rate of proper escaping on a large number of outputs (272) significantly increases the risk of XSS vulnerabilities being introduced, even if they are not immediately apparent in the current version.

In conclusion, while the plugin has strengths in its database query handling and some security checks, the extensive unprotected AJAX endpoints and the low rate of output escaping are substantial weaknesses. The past history of XSS vulnerabilities further amplifies these concerns. Mitigation efforts should prioritize addressing the unprotected AJAX handlers and improving output escaping across the plugin's code to prevent future XSS exploits.

Key Concerns

11 unprotected AJAX handlers
Low output escaping (5%)
2 flows with unsanitized paths
History of 5 medium XSS vulnerabilities

Vulnerabilities

LuckyWP Table of Contents Security Vulnerabilities

CVEs by Year

4 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

5 total CVEs

CVE-2025-2299medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

LuckyWP Table of Contents <= 2.1.10 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

Apr 2, 2025 Patched in 2.1.11 (1d)

CVE-2024-9641medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

LuckyWP Table of Contents <= 2.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting

Nov 21, 2024 Patched in 2.1.7 (58d)

CVE-2024-2119medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

LuckyWP Table of Contents <= 2.1.5 - Reflected Cross-Site Scripting

May 21, 2024 Patched in 2.1.6 (136d)

CVE-2023-6487medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

LuckyWP Table of Contents <= 2.1.5 - Authenticated (Administrator+) Cross-Site Scripting

May 21, 2024 Patched in 2.1.5 (136d)

CVE-2024-2953medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

LuckyWP Table of Contents <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 21, 2024 Patched in 2.1.5 (127d)

Code Analysis

Analyzed Mar 16, 2026

LuckyWP Table of Contents Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

258

14 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared3 total queries

Output Escaping

5% escaped272 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

showTabs (core\wp\Settings.php:415)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

11 unprotected

LuckyWP Table of Contents Attack Surface

Entry Points11

Unprotected11

AJAX Handlers 11

authwp_ajax_lwptoc_block_editadmin\controllers\EditorBlockController.php:25

authwp_ajax_lwptoc_block_viewadmin\controllers\EditorBlockController.php:26

authwp_ajax_lwptoc_metabox_set_enabledadmin\controllers\MetaboxController.php:25

authwp_ajax_lwptoc_metabox_set_processingadmin\controllers\MetaboxController.php:26

authwp_ajax_lwptoc_metabox_customizeadmin\controllers\MetaboxController.php:27

authwp_ajax_lwptoc_rateadmin\controllers\RateController.php:18

authwp_ajax_lwptoc_rate_show_lateradmin\controllers\RateController.php:19

authwp_ajax_lwptoc_rate_hideadmin\controllers\RateController.php:20

authwp_ajax_lwptoc_shortcode_customizeadmin\controllers\ShortcodeController.php:24

authwp_ajax_lwptoc_shortcode_viewadmin\controllers\ShortcodeController.php:25

authwp_ajax_lwptoc_widget_customizeadmin\controllers\WidgetController.php:26

WordPress Hooks 52

actionadmin_menuadmin\Admin.php:28

actionadmin_enqueue_scriptsadmin\Admin.php:29

actionadd_meta_boxesadmin\Admin.php:30

actionplugins_loadedadmin\controllers\EditorBlockController.php:20

actionplugins_loadedadmin\controllers\MetaboxController.php:20

actioninitadmin\controllers\RateController.php:13

actionadmin_noticesadmin\controllers\RateController.php:15

filterinstall_plugins_nonmenu_tabsadmin\controllers\SettingsController.php:19

filterinstall_plugins_table_api_args_luckywpadmin\controllers\SettingsController.php:23

actionplugins_loadedadmin\controllers\ShortcodeController.php:19

actionplugins_loadedadmin\controllers\WidgetController.php:21

filterdebug_informationadmin\SiteHealth.php:13

actionwp_loadedcore\admin\AdminController.php:20

actionafter_setup_themecore\base\BasePlugin.php:66

actionadmin_initcore\wp\Settings.php:94

actionwp_enqueue_scriptsfront\Front.php:22

actioninitfront\Front.php:23

filterthe_contentfront\Front.php:25

actionwp_footerfront\Front.php:28

actionfl_theme_builder_before_render_contentintegrations\BeaverBuilder.php:16

filterfl_builder_before_render_shortcodesintegrations\BeaverBuilder.php:20

filterlwptoc_need_processing_headingsintegrations\BeaverBuilder.php:24

filterfl_builder_after_render_shortcodesintegrations\BeaverBuilder.php:28

actionelementor/editor/after_enqueue_scriptsintegrations\elementor\Elementor.php:18

filterlwptoc_widget_customize_modal_configintegrations\elementor\Elementor.php:24

filterlwptoc_admin_html_button_attrsintegrations\elementor\Elementor.php:30

actionct_builder_startintegrations\Oxygen.php:15

actionct_builder_startintegrations\Oxygen.php:18

filterrank_math/researches/toc_pluginsintegrations\RankMath.php:13

actionwpv_before_shortcode_post_bodyintegrations\ToolsetViews.php:16

filterthe_contentintegrations\ToolsetViews.php:19

actionlwptoc_disable_autoinsertintegrations\ToolsetViews.php:20

actionwpv_after_shortcode_post_bodyintegrations\ToolsetViews.php:26

actionlwptoc_beforeintegrations\TwentyTwentyTheme.php:12

actionlwptoc_afterintegrations\TwentyTwentyTheme.php:15

filterlwptoc_widget_attrsintegrations\Wpml.php:17

actionlwptoc_widget_attrs_updateintegrations\Wpml.php:18

actiondelete_widgetintegrations\Wpml.php:19

actionadmin_noticesluckywp-table-of-contents.php:29

actioninitplugin\editorBlock\EditorBlock.php:14

actionadmin_initplugin\mcePlugin\McePlugin.php:14

filtermce_cssplugin\mcePlugin\McePlugin.php:20

actionenqueue_block_editor_assetsplugin\mcePlugin\McePlugin.php:21

filtermce_external_pluginsplugin\mcePlugin\McePlugin.php:22

filtermce_buttonsplugin\mcePlugin\McePlugin.php:23

filterthe_contentplugin\Plugin.php:60

filterthe_contentplugin\Plugin.php:61

actionwidgets_initplugin\Plugin.php:62

actionplugins_loadedplugin\Plugin.php:67

actioninitplugin\Plugin.php:89

actioninitplugin\Shortcode.php:29

filterthe_contentplugin\Shortcode.php:32

Maintenance & Trust

LuckyWP Table of Contents Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedApr 16, 2025

PHP min version5.6.20

Downloads1.1M

Community Trust

Rating98/100

Number of ratings875

Active installs100K

Alternatives

LuckyWP Table of Contents Alternatives

Anik Smart Table of Contents

anik-smart-table-of-contents

100

A lightweight, SEO-friendly Table of Contents plugin that automatically generates TOC from your headings with smooth scroll and collapsible features.

0 No CVEs

Heroic Table of Contents

heroic-table-of-contents

100

Heroic Table of Contents is the easiest way to add a table of contents to your site.

5K No CVEs

Table of Contents Creator

table-of-contents-creator

Table of Contents Creator automatically generates a highly customizable dynamic site wide table of contents that is always up-to-date.

400 1 unpatched

F70 Simple Table of Contents

f70-simple-table-of-contents

Display a table of contents in your posts by automatically generated from the headings. No Javascript code, simple to use.

100 No CVEs

Developer Profile

LuckyWP Table of Contents Developer Profile

LuckyWP

5 plugins · 119K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

174 days

View full developer profile

Detection Fingerprints

How We Detect LuckyWP Table of Contents

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/luckywp-table-of-contents/admin/assets/main.min.css/wp-content/plugins/luckywp-table-of-contents/admin/assets/main.min.js

Script Paths

/wp-content/plugins/luckywp-table-of-contents/admin/assets/main.min.js

Version Parameters

luckywp-table-of-contents/admin/assets/main.min.css?ver=luckywp-table-of-contents/admin/assets/main.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

lwptoc-container

Data Attributes

data-lwptoc-settings

JS Globals

lwptocMain

FAQ