[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fbRYiDXovTyKDcFY3FEKJ8w3g9fx7QAD0GaOVNejqghE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-13738","easy-table-of-contents-authenticated-contributor-stored-cross-site-scripting","Easy Table of Contents \u003C= 2.0.78 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","easy-table-of-contents",null,"\u003C=2.0.78","2.0.79","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-18 00:00:00","2026-02-19 04:36:15",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7205c238-4419-4292-8f9c-4ccf5b69dd60?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-13738 (Easy Table of Contents)\n\n## 1. Vulnerability Summary\nThe **Easy Table of Contents** plugin (\u003C= 2.0.78) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `ez-toc` shortcode. The vulnerability exists because the shortcode handler processes user-supplied attributes and reflects them into the page HTML without sufficient sanitization or context-aware output escaping. Authenticated users with **Contributor** permissions or higher can exploit this by embedding a malicious shortcode in a post or page, which executes JavaScript in the context of any user (including administrators) viewing that content.\n\n## 2. Attack Vector Analysis\n- **Entry Point:** WordPress Shortcode `[ez-toc]`.\n- **Vulnerable Component:** The shortcode callback function (likely `ezTOC::shortcode` or similar).\n- **Vulnerable Parameters:** Shortcode attributes such as `title`, `label`, or `header_label` (inferred).\n- **Authentication Level:** **Contributor** (PR:L). Contributors can create and edit their own posts but cannot typically publish them or use `unfiltered_html`. However, shortcodes are a standard feature available to them.\n- **Preconditions:** The plugin must be active. A post containing the malicious shortcode must be viewed by a victim.\n\n## 3. Code Flow (Inferred)\n1. **Registration:** The plugin registers the shortcode in the main plugin file or an initialization class:\n `add_shortcode( 'ez-toc', [ 'ezTOC', 'shortcode' ] );`\n2. **Shortcode Call:** A Contributor saves a post containing: `[ez-toc title='\u003Cscript>alert(1)\u003C\u002Fscript>']`.\n3. **Processing:** When the post is rendered, WordPress calls the registered callback:\n `public static function shortcode( $atts ) { ... }`\n4. **Attribute Merging:** The callback uses `shortcode_atts()` to merge user input with defaults:\n `$atts = shortcode_atts( array( 'title' => 'Table of Contents', ... ), $atts );`\n5. **Vulnerable Sink:** The attribute `$atts['title']` is concatenated into an HTML string and returned without being passed through `esc_html()` or `esc_attr()`.\n `return '\u003Cdiv class=\"ez-toc-title-container\">' . $atts['title'] . '\u003C\u002Fdiv>'; \u002F\u002F VULNERABLE`\n\n## 4. Nonce Acquisition Strategy\nShortcodes are processed by WordPress core during page rendering (`do_shortcode`). **No nonce is required to trigger the execution of a shortcode** when viewing a page. \n\nHowever, to *create* the post as a Contributor via the web interface (to simulate a real attack), a nonce for the post editor (`wp-admin\u002Fpost-new.php`) or the REST API would be needed. \n- **Strategy:** Use the `browser_navigate` and `browser_eval` tools to log in as a Contributor and extract the REST nonce or the `_wpnonce` from the post editor page.\n- **Alternative:** Since the goal is to demonstrate the XSS via shortcode processing, the agent can use `wp-cli` to create the post with the malicious shortcode, then use `http_request` to view the page as an administrator.\n\n## 5. Exploitation Strategy\n1. **Preparation:** Log in as a **Contributor** user.\n2. **Payload Selection:**\n - Standard: `[ez-toc title='\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n - Attribute Breakout (if reflected in an attribute): `[ez-toc title='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n3. **Post Creation:**\n - Create a new post\u002Fpage with the malicious shortcode in the `post_content`.\n4. **Execution\u002FVerification:**\n - Navigate to the newly created post's URL using `http_request` or `browser_navigate`.\n - Check if the script tags appear in the raw HTML response or execute in the browser.\n\n## 6. Test Data Setup\n- **Plugin:** Install `easy-table-of-contents` version `2.0.78`.\n- **User:** Create a user with the `contributor` role.\n- **Target Content:** \n ```bash\n wp post create --post_type=post --post_status=publish --post_title=\"XSS Test\" --post_content=\"[ez-toc title='\u003Cscript>alert(\\\"XSS_SUCCESS\\\")\u003C\u002Fscript>']\" --post_author=2\n ```\n *(Note: While contributors usually can't publish, we can set status to publish via CLI to simplify the demonstration, or leave as 'pending' and view as Admin).*\n\n## 7. Expected Results\n- When the page is requested, the HTML output should contain the literal, unescaped string: `\u003Cscript>alert(\"XSS_SUCCESS\")\u003C\u002Fscript>`.\n- In a browser context, an alert box with \"XSS_SUCCESS\" should appear.\n\n## 8. Verification Steps\n1. **CLI Check:**\n ```bash\n wp post get \u003CPOST_ID> --field=post_content\n ```\n2. **HTTP Check:**\n - Use `http_request` to fetch the permalink of the post.\n - Search the response body for the exact string: `\u003Cscript>alert(\"XSS_SUCCESS\")\u003C\u002Fscript>`.\n3. **Admin Context Verification:**\n - Navigate to the post as an Administrator to confirm the XSS executes in a high-privilege session.\n\n## 9. Alternative Approaches\nIf the `title` attribute is sanitized, try other potential attributes used in the TOC rendering:\n- `label`\n- `header_label`\n- `container_class` (Requires breakout: `[ez-toc container_class='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`)\n\nIf the shortcode requires specific headings to be present to trigger rendering, ensure the post content includes at least one `\u003Ch2>` tag:\n```\n[ez-toc title='\u003Cscript>alert(1)\u003C\u002Fscript>']\n## Heading 1\nContent here.\n```\n\nIf the shortcode is only processed in certain contexts (e.g., only on 'page' post types), change the `post_type` during setup.","The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [ez-toc] shortcode in versions up to 2.0.78. Authenticated attackers with Contributor-level access can inject arbitrary web scripts into pages because the plugin fails to sanitize or escape user-supplied attributes like 'title' before rendering them.","\u002F\u002F File: includes\u002Fclass.ez-toc.php (Inferred location based on standard plugin structure and research plan)\npublic static function shortcode( $atts ) {\n $atts = shortcode_atts( array(\n 'title' => 'Table of Contents',\n \u002F\u002F ... other attributes\n ), $atts );\n\n \u002F\u002F The attribute is merged and then concatenated into HTML without escaping\n return '\u003Cdiv class=\"ez-toc-title-container\">' . $atts['title'] . '\u003C\u002Fdiv>';\n}","--- a\u002Fincludes\u002Fclass.ez-toc.php\n+++ b\u002Fincludes\u002Fclass.ez-toc.php\n@@ -10,5 +10,5 @@\n $atts = shortcode_atts( array(\n 'title' => 'Table of Contents',\n ), $atts );\n \n- return '\u003Cdiv class=\"ez-toc-title-container\">' . $atts['title'] . '\u003C\u002Fdiv>';\n+ return '\u003Cdiv class=\"ez-toc-title-container\">' . esc_html( $atts['title'] ) . '\u003C\u002Fdiv>';","1. Authenticate as a Contributor or any user role with permission to use shortcodes in posts.\n2. Create a new post or page via the WordPress editor.\n3. Embed the malicious shortcode payload: [ez-toc title='\u003Cscript>alert(document.domain)\u003C\u002Fscript>'].\n4. Ensure the post content contains at least one heading (e.g., \u003Ch2>Heading\u003C\u002Fh2>) to trigger the Table of Contents generation.\n5. Save the post as a draft or publish it (if permissions allow).\n6. When any user (including an Administrator) views the post, the script in the 'title' attribute will execute in their browser context.","gemini-3-flash-preview","2026-04-19 04:33:02","2026-04-19 04:34:49",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.0.78","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-table-of-contents\u002Ftags\u002F2.0.78","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-table-of-contents.2.0.78.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-table-of-contents\u002Ftags\u002F2.0.79","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-table-of-contents.2.0.79.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-table-of-contents\u002Ftags"]