Does Rich Table of Contents have any unpatched vulnerabilities?

No. All known vulnerabilities in Rich Table of Contents have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Rich Table of Contents compatible with WordPress 6.8.5?

According to WordPress.org data, Rich Table of Contents 1.4.3 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Rich Table of Contents compatible with PHP 7.0+?

Rich Table of Contents requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Rich Table of Contents updated?

Rich Table of Contents was last updated on Apr 30, 2025. Frequent updates are generally a positive security signal.

What is Rich Table of Contents's security score?

Rich Table of Contents has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Rich Table of Contents Security & Risk Analysis

wordpress.org/plugins/rich-table-of-content

RTOC is a table of contents generation plugin from Japan that allows anyone to easily create a table of contents. Equipped with the functions of the c …

20K active installs v1.4.3 PHP 7.0+ WP 5.3.2+ Updated Apr 30, 2025

cmsindexesnavigationtable-of-contentstoc

A · Safe

CVEs total2

Unpatched0

Last CVEApr 9, 2025

Plugin page Download

Safety Verdict

Is Rich Table of Contents Safe to Use in 2026?

Generally Safe

Score 98/100

Rich Table of Contents has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Apr 9, 2025Updated 11mo ago

Risk Assessment

The plugin 'rich-table-of-content' v1.4.3 exhibits a mixed security posture. While it demonstrates good practices by using prepared statements for all SQL queries and having no file operations or external HTTP requests, significant concerns arise from its output escaping and vulnerability history. The static analysis reveals a very low percentage (18%) of properly escaped outputs, indicating a high likelihood of Cross-Site Scripting (XSS) vulnerabilities. Although no critical or high severity taint flows were identified in this specific version's static analysis, the history of two medium severity CVEs, specifically related to missing authorization and XSS, combined with the poor output escaping, suggests a recurring pattern of input sanitization and authorization weaknesses.

Key Concerns

Low output escaping percentage (18%)
History of 2 medium severity CVEs
Vulnerability history indicates recurring XSS and authorization issues

Vulnerabilities

Rich Table of Contents Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-31004medium · 4.3Missing Authorization

Rich Table of Contents <= 1.4.0 - Missing Authorization

Apr 9, 2025 Patched in 1.4.1 (22d)

CVE-2022-4551medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Rich Table of Contents <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 17, 2023 Patched in 1.3.9 (371d)

Code Analysis

Analyzed Mar 16, 2026

Rich Table of Contents Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

154

34 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

18% escaped188 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

rtoc_sanitize (include\rtoc_admin.php:1065)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Rich Table of Contents Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[rtoc_mokuji] include\rtoc_shortcode.php:2050

WordPress Hooks 29

actionadmin_initfunctions.php:36

actionplugins_loadedfunctions.php:157

actionadmin_print_stylesfunctions.php:169

filterthe_contentfunctions.php:1804

filterrank_math/researches/toc_pluginsfunctions.php:1807

actionwp_footerfunctions.php:1885

actionwp_enqueue_scriptsfunctions.php:1928

actionwp_enqueue_scriptsfunctions.php:2060

actionwp_enqueue_scriptsfunctions.php:2073

actionwp_enqueue_scriptsfunctions.php:2083

actionadmin_initfunctions.php:2099

actionadmin_menuinclude\rtoc_admin.php:17

actionadmin_enqueue_scriptsinclude\rtoc_admin.php:55

actionadmin_initinclude\rtoc_admin.php:68

actionadmin_initinclude\rtoc_admin.php:170

actionadmin_initinclude\rtoc_admin.php:184

actionadmin_initinclude\rtoc_admin.php:312

actionadmin_initinclude\rtoc_admin.php:326

actionadmin_initinclude\rtoc_admin.php:481

actionadmin_initinclude\rtoc_admin.php:499

actionadmin_initinclude\rtoc_admin.php:538

actionadmin_initinclude\rtoc_admin.php:551

actionadmin_initinclude\rtoc_admin.php:590

actionadmin_initinclude\rtoc_admin.php:603

actionadmin_initinclude\rtoc_admin.php:640

actionadmin_initinclude\rtoc_admin.php:710

actionwp_headinclude\rtoc_inline.php:129

actionwp_headinclude\rtoc_inline.php:195

actionwp_headinclude\rtoc_inline.php:267

Maintenance & Trust

Rich Table of Contents Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedApr 30, 2025

PHP min version7.0

Downloads357K

Community Trust

Rating82/100

Number of ratings17

Active installs20K

Alternatives

Rich Table of Contents Alternatives

Table of Contents Plus

table-of-contents-plus

A powerful yet user friendly plugin that automatically creates a table of contents. Can also output a sitemap listing all pages and categories.

200K 5 CVEs

Extended Table of Contents (with nextpage support)

extended-table-of-contents-with-nextpage-support

This plugin automatically generates and inserts a table of contents (ToC) to your pages and posts, based on tags h1-h6. It can deal with nextpage-tag.

200 No CVEs

F70 Simple Table of Contents

f70-simple-table-of-contents

Display a table of contents in your posts by automatically generated from the headings. No Javascript code, simple to use.

100 No CVEs

CC-TOC

cc-toc

This plugin automatically creates a table of contents based on html headings in content.

10 No CVEs

Developer Profile

Rich Table of Contents Developer Profile

Croover.inc

1 plugin · 20K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

197 days

View full developer profile

Detection Fingerprints

How We Detect Rich Table of Contents

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/rich-table-of-content/css/rtoc.css/wp-content/plugins/rich-table-of-content/js/rtoc.js

Version Parameters

/wp-content/plugins/rich-table-of-content/css/rtoc.css?ver=/wp-content/plugins/rich-table-of-content/js/rtoc.js?ver=

HTML / DOM Fingerprints

CSS Classes

rtoc_bodyrtoc_contentrtoc_titlertoc_list_h2rtoc_list_h3rtoc_back_button

Data Attributes

data-text-colordata-title-colordata-back-colordata-border-colordata-h2-colordata-h3-color

JS Globals

rtoc

FAQ