WP-Safety
CVE-2025-68836

Table of Contents Creator <= 1.6.4.1 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Table of Contents Creator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.6.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.6.4.1
PublishedJanuary 19, 2026
Last updatedJanuary 27, 2026
Affected plugintable-of-contents-creator
Research Plan
Unverified

Based on the vulnerability details for **CVE-2025-68836**, this is a Reflected Cross-Site Scripting (XSS) vulnerability in the **Table of Contents Creator** plugin (versions up to 1.6.4.1). Since the source code is not provided, the following plan is based on the vulnerability description, common pa…

Show full research plan

Based on the vulnerability details for CVE-2025-68836, this is a Reflected Cross-Site Scripting (XSS) vulnerability in the Table of Contents Creator plugin (versions up to 1.6.4.1). Since the source code is not provided, the following plan is based on the vulnerability description, common patterns for this plugin type, and WordPress security best practices.

1. Vulnerability Summary

The vulnerability exists because the plugin fails to sanitize or escape user-controlled input from the URL (via $_GET, $_POST, or $_REQUEST) before echoing it back into a page. Since the CVSS vector indicates unauthenticated (PR:N) access, the sink is likely located in a frontend hook (like init, wp_head, or a shortcode callback) or an unauthenticated AJAX handler (wp_ajax_nopriv_*).

2. Attack Vector Analysis

  • Endpoint: Likely the WordPress frontend (any post/page where the TOC is active) or a specific plugin-generated page.
  • Vulnerable Parameter: (Inferred) Parameters such as toc_style, anchor, filter, or search_query used to customize the TOC display or navigate it.
  • Authentication: None required (unauthenticated).
  • Preconditions: The plugin must be active. Some reflected XSS in TOC plugins requires a specific shortcode like [table-of-contents] or [toc] to be present on the page to trigger the vulnerable code path.

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated user visits a URL with a malicious query parameter (e.g., example.com/?toc_title=<script>alert(1)</script>).
  2. Hook: The plugin's init or wp_head action fires, or a shortcode is processed during the_content filter.
  3. Data Acquisition: The plugin accesses the parameter directly: $title = $_GET['toc_title']; (or similar).
  4. Vulnerable Sink: The plugin echoes this variable directly into the HTML without calling esc_html(), esc_attr(), or wp_kses():
    • echo "<h2 class='toc-title'>$title</h2>"; (Tag content reflection)
    • echo "<div data-style='$title'>...</div>"; (Attribute reflection)

4. Nonce Acquisition Strategy

Reflected XSS via GET parameters typically does not require a nonce, as nonces are intended to prevent CSRF (unintentional state-changing actions), while Reflected XSS is an input-to-output reflection.

However, if the reflection occurs within a POST-based "Preview" feature or a specific AJAX action, follow this strategy:

  1. Identify the Trigger: Determine if the XSS fires on a standard page or requires a specific plugin shortcode.
  2. Shortcode Setup: Create a page containing the plugin's primary shortcode:
    wp post create --post_type=page --post_title="TOC Test" --post_status=publish --post_content='[table-of-contents-creator]'
  3. Navigate and Extract: Use browser_navigate to visit the page and browser_eval to check for localized variables if the reflection is in an AJAX response:
    • Variable check: browser_eval("window.toc_creator_data?.nonce") (inferred)
  4. Bypass Check: Check the source for check_ajax_referer calls. If the second parameter (the nonce name) is missing or if die is set to false, the nonce may not be strictly required.

5. Exploitation Strategy

The goal is to demonstrate that arbitrary JavaScript can be executed in the victim's browser.

Step 1: Discover the Reflection Point
The agent should test common TOC-related parameters by sending a "canary" string and checking the response.

  • Request: GET /?toc_id=canary_reflection_test
  • Tool: http_request

Step 2: Craft the XSS Payload
Depending on where the canary appears in the source code:

  • In HTML Body: <script>alert(document.domain)</script>
  • Inside Attribute: " onmouseover="alert(1)" or "><script>alert(1)</script>

Step 3: Execute the Exploit

  • URL: http://localhost:8080/?vulnerable_param=<script>alert(1)</script>
  • HTTP Method: GET
  • Tool: http_request (to verify the unescaped reflection in the response body) or browser_navigate (to confirm execution).

6. Test Data Setup

  1. Install/Activate: Ensure table-of-contents-creator version 1.6.4.1 is installed.
  2. Content Creation: Create a post with several headings to ensure the TOC plugin logic is fully invoked:
    wp post create --post_type=post --post_title="Target Page" --post_content="<!-- [table-of-contents-creator] --> <h1>Heading 1</h1><h2>Heading 2</h2>" --post_status=publish
  3. Plugin Configuration: Ensure the TOC is set to display automatically or via the shortcode added above.

7. Expected Results

  • HTTP Response: The http_request response body should contain the literal string <script>alert(1)</script> (or the chosen payload) without being encoded to &lt;script&gt;.
  • Browser Execution: If using browser_navigate, the agent should detect a dialog/alert or successfully execute a console.log trace.

8. Verification Steps

  1. Source Code Inspection: Use grep to find the exact line responsible for the reflection once the vulnerable parameter is identified:
    grep -rn "echo.*\$_GET" /var/www/html/wp-content/plugins/table-of-contents-creator/
  2. Confirm Lack of Escaping: Verify that the code at the identified line does not use esc_html or esc_attr.

9. Alternative Approaches

  • Admin-Side Reflection: If the frontend is not vulnerable, test the admin settings page. An attacker could trick an admin into clicking a link like:
    wp-admin/admin.php?page=table-of-contents-creator&message=<script>alert(1)</script>
  • AJAX Reflection: If the plugin uses AJAX to load TOC content dynamically, test the action parameter in admin-ajax.php for reflected parameters:
    • Action: wp_ajax_nopriv_get_toc_content
    • Parameter: toc_title or custom_css.
  • Shortcode Attribute Reflection: If the plugin reflects shortcode attributes directly, an attacker with "Contributor" privileges (who can post shortcodes) could perform Stored XSS:
    [table-of-contents-creator title="<script>alert(1)</script>"]
Research Findings
Static analysis — not yet PoC-verified

Summary

The Table of Contents Creator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to 1.6.4.1. This occurs because the plugin echoes user-supplied input from query parameters directly into the page without adequate sanitization or output escaping, allowing unauthenticated attackers to execute arbitrary JavaScript in the victim's browser.

Vulnerable Code

/* Inferred from research plan - representative of reflection in plugin output */
// table-of-contents-creator.php
$toc_title = $_GET['toc_title'];
echo "<h2 class='toc-title'>$toc_title</h2>";

---

/* Inferred reflection in attribute context */
$style = $_GET['toc_style'];
echo "<div class='toc-wrap' style='color: $style'>";

Security Fix

--- table-of-contents-creator.php
+++ table-of-contents-creator.php
@@ -1,2 +1,2 @@
-$toc_title = $_GET['toc_title'];
-echo "<h2 class='toc-title'>$toc_title</h2>";
+$toc_title = isset($_GET['toc_title']) ? sanitize_text_field($_GET['toc_title']) : '';
+echo "<h2 class='toc-title'>" . esc_html($toc_title) . "</h2>";
@@ -4,2 +4,2 @@
-$style = $_GET['toc_style'];
-echo "<div class='toc-wrap' style='color: $style'>";
+$style = isset($_GET['toc_style']) ? sanitize_text_field($_GET['toc_style']) : '';
+echo "<div class='toc-wrap' style='color: " . esc_attr($style) . "'>";

Exploit Outline

1. Identify a post or page on the target WordPress site where the Table of Contents Creator plugin is active. 2. Identify a vulnerable parameter such as `toc_title`, `toc_style`, `anchor`, or `filter` by checking if query strings are reflected in the page source. 3. Construct a malicious URL by appending a JavaScript payload to the identified parameter, for example: `?toc_title=<script>alert(document.domain)</script>`. 4. Deliver this URL to a target user (such as a site administrator) via social engineering or a hidden redirect. 5. Upon the user clicking the link, the payload executes within their browser context, allowing for session hijacking or unauthorized administrative actions.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/935a8d4e-5d5e-46c2-b3b2-eb550f27d535?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database