[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmO8gDOF1gs8pdVp7ECBF_MuKOBvL2GhrfmSmSkU9aXQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2025-68836","table-of-contents-creator-reflected-cross-site-scripting","Table of Contents Creator \u003C= 1.6.4.1 - Reflected Cross-Site Scripting","The Table of Contents Creator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.6.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","table-of-contents-creator",null,"\u003C=1.6.4.1","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-19 00:00:00","2026-01-27 19:21:08",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F935a8d4e-5d5e-46c2-b3b2-eb550f27d535?source=api-prod",[],"researched",false,3,"Based on the vulnerability details for **CVE-2025-68836**, this is a Reflected Cross-Site Scripting (XSS) vulnerability in the **Table of Contents Creator** plugin (versions up to 1.6.4.1). Since the source code is not provided, the following plan is based on the vulnerability description, common patterns for this plugin type, and WordPress security best practices.\n\n### 1. Vulnerability Summary\nThe vulnerability exists because the plugin fails to sanitize or escape user-controlled input from the URL (via `$_GET`, `$_POST`, or `$_REQUEST`) before echoing it back into a page. Since the CVSS vector indicates **unauthenticated (PR:N)** access, the sink is likely located in a frontend hook (like `init`, `wp_head`, or a shortcode callback) or an unauthenticated AJAX handler (`wp_ajax_nopriv_*`).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** Likely the WordPress frontend (any post\u002Fpage where the TOC is active) or a specific plugin-generated page.\n*   **Vulnerable Parameter:** (Inferred) Parameters such as `toc_style`, `anchor`, `filter`, or `search_query` used to customize the TOC display or navigate it.\n*   **Authentication:** None required (unauthenticated).\n*   **Preconditions:** The plugin must be active. Some reflected XSS in TOC plugins requires a specific shortcode like `[table-of-contents]` or `[toc]` to be present on the page to trigger the vulnerable code path.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user visits a URL with a malicious query parameter (e.g., `example.com\u002F?toc_title=\u003Cscript>alert(1)\u003C\u002Fscript>`).\n2.  **Hook:** The plugin's `init` or `wp_head` action fires, or a shortcode is processed during `the_content` filter.\n3.  **Data Acquisition:** The plugin accesses the parameter directly: `$title = $_GET['toc_title'];` (or similar).\n4.  **Vulnerable Sink:** The plugin echoes this variable directly into the HTML without calling `esc_html()`, `esc_attr()`, or `wp_kses()`:\n    *   `echo \"\u003Ch2 class='toc-title'>$title\u003C\u002Fh2>\";` (Tag content reflection)\n    *   `echo \"\u003Cdiv data-style='$title'>...\u003C\u002Fdiv>\";` (Attribute reflection)\n\n### 4. Nonce Acquisition Strategy\nReflected XSS via GET parameters typically does **not** require a nonce, as nonces are intended to prevent CSRF (unintentional state-changing actions), while Reflected XSS is an input-to-output reflection.\n\nHowever, if the reflection occurs within a POST-based \"Preview\" feature or a specific AJAX action, follow this strategy:\n1.  **Identify the Trigger:** Determine if the XSS fires on a standard page or requires a specific plugin shortcode.\n2.  **Shortcode Setup:** Create a page containing the plugin's primary shortcode:\n    ```bash\n    wp post create --post_type=page --post_title=\"TOC Test\" --post_status=publish --post_content='[table-of-contents-creator]'\n    ```\n3.  **Navigate and Extract:** Use `browser_navigate` to visit the page and `browser_eval` to check for localized variables if the reflection is in an AJAX response:\n    *   Variable check: `browser_eval(\"window.toc_creator_data?.nonce\")` (inferred)\n4.  **Bypass Check:** Check the source for `check_ajax_referer` calls. If the second parameter (the nonce name) is missing or if `die` is set to `false`, the nonce may not be strictly required.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate that arbitrary JavaScript can be executed in the victim's browser.\n\n**Step 1: Discover the Reflection Point**\nThe agent should test common TOC-related parameters by sending a \"canary\" string and checking the response.\n*   **Request:** `GET \u002F?toc_id=canary_reflection_test`\n*   **Tool:** `http_request`\n\n**Step 2: Craft the XSS Payload**\nDepending on where the canary appears in the source code:\n*   **In HTML Body:** `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n*   **Inside Attribute:** `\" onmouseover=\"alert(1)\"` or `\">\u003Cscript>alert(1)\u003C\u002Fscript>`\n\n**Step 3: Execute the Exploit**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002F?vulnerable_param=\u003Cscript>alert(1)\u003C\u002Fscript>`\n*   **HTTP Method:** `GET`\n*   **Tool:** `http_request` (to verify the unescaped reflection in the response body) or `browser_navigate` (to confirm execution).\n\n### 6. Test Data Setup\n1.  **Install\u002FActivate:** Ensure `table-of-contents-creator` version 1.6.4.1 is installed.\n2.  **Content Creation:** Create a post with several headings to ensure the TOC plugin logic is fully invoked:\n    ```bash\n    wp post create --post_type=post --post_title=\"Target Page\" --post_content=\"\u003C!-- [table-of-contents-creator] --> \u003Ch1>Heading 1\u003C\u002Fh1>\u003Ch2>Heading 2\u003C\u002Fh2>\" --post_status=publish\n    ```\n3.  **Plugin Configuration:** Ensure the TOC is set to display automatically or via the shortcode added above.\n\n### 7. Expected Results\n*   **HTTP Response:** The `http_request` response body should contain the literal string `\u003Cscript>alert(1)\u003C\u002Fscript>` (or the chosen payload) without being encoded to `&lt;script&gt;`.\n*   **Browser Execution:** If using `browser_navigate`, the agent should detect a dialog\u002Falert or successfully execute a `console.log` trace.\n\n### 8. Verification Steps\n1.  **Source Code Inspection:** Use `grep` to find the exact line responsible for the reflection once the vulnerable parameter is identified:\n    ```bash\n    grep -rn \"echo.*\\$_GET\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Ftable-of-contents-creator\u002F\n    ```\n2.  **Confirm Lack of Escaping:** Verify that the code at the identified line does not use `esc_html` or `esc_attr`.\n\n### 9. Alternative Approaches\n*   **Admin-Side Reflection:** If the frontend is not vulnerable, test the admin settings page. An attacker could trick an admin into clicking a link like:\n    `wp-admin\u002Fadmin.php?page=table-of-contents-creator&message=\u003Cscript>alert(1)\u003C\u002Fscript>`\n*   **AJAX Reflection:** If the plugin uses AJAX to load TOC content dynamically, test the `action` parameter in `admin-ajax.php` for reflected parameters:\n    *   Action: `wp_ajax_nopriv_get_toc_content`\n    *   Parameter: `toc_title` or `custom_css`.\n*   **Shortcode Attribute Reflection:** If the plugin reflects shortcode attributes directly, an attacker with \"Contributor\" privileges (who can post shortcodes) could perform Stored XSS:\n    `[table-of-contents-creator title=\"\u003Cscript>alert(1)\u003C\u002Fscript>\"]`","The Table of Contents Creator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to 1.6.4.1. This occurs because the plugin echoes user-supplied input from query parameters directly into the page without adequate sanitization or output escaping, allowing unauthenticated attackers to execute arbitrary JavaScript in the victim's browser.","\u002F* Inferred from research plan - representative of reflection in plugin output *\u002F\n\u002F\u002F table-of-contents-creator.php\n$toc_title = $_GET['toc_title'];\necho \"\u003Ch2 class='toc-title'>$toc_title\u003C\u002Fh2>\";\n\n---\n\n\u002F* Inferred reflection in attribute context *\u002F\n$style = $_GET['toc_style'];\necho \"\u003Cdiv class='toc-wrap' style='color: $style'>\";","--- table-of-contents-creator.php\n+++ table-of-contents-creator.php\n@@ -1,2 +1,2 @@\n-$toc_title = $_GET['toc_title'];\n-echo \"\u003Ch2 class='toc-title'>$toc_title\u003C\u002Fh2>\";\n+$toc_title = isset($_GET['toc_title']) ? sanitize_text_field($_GET['toc_title']) : '';\n+echo \"\u003Ch2 class='toc-title'>\" . esc_html($toc_title) . \"\u003C\u002Fh2>\";\n@@ -4,2 +4,2 @@\n-$style = $_GET['toc_style'];\n-echo \"\u003Cdiv class='toc-wrap' style='color: $style'>\";\n+$style = isset($_GET['toc_style']) ? sanitize_text_field($_GET['toc_style']) : '';\n+echo \"\u003Cdiv class='toc-wrap' style='color: \" . esc_attr($style) . \"'>\";","1. Identify a post or page on the target WordPress site where the Table of Contents Creator plugin is active.\n2. Identify a vulnerable parameter such as `toc_title`, `toc_style`, `anchor`, or `filter` by checking if query strings are reflected in the page source.\n3. Construct a malicious URL by appending a JavaScript payload to the identified parameter, for example: `?toc_title=\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n4. Deliver this URL to a target user (such as a site administrator) via social engineering or a hidden redirect.\n5. Upon the user clicking the link, the payload executes within their browser context, allowing for session hijacking or unauthorized administrative actions.","gemini-3-flash-preview","2026-05-05 06:11:02","2026-05-05 06:11:26",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftable-of-contents-creator\u002Ftags"]