CVE-2025-13738
Stored XSS in Easy Table of Contents WordPress Plugin Allows Script Injection
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| easy_table_of_contents | easy_table_of_contents | to 2.0.78 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Easy Table of Contents plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 2.0.78. This vulnerability arises because the plugin does not properly sanitize and escape user-supplied attributes in its `ez-toc` shortcode. As a result, authenticated users with contributor-level access or higher can inject malicious scripts into pages. These scripts will execute whenever any user accesses the infected page.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with contributor or higher privileges to inject arbitrary web scripts into pages. When other users visit these pages, the malicious scripts execute in their browsers. This can lead to unauthorized actions such as stealing session cookies, defacing content, redirecting users to malicious sites, or performing actions on behalf of the user without their consent.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the Easy Table of Contents WordPress plugin's `ez-toc` shortcode, exploitable by authenticated users with contributor-level access or higher. Detection involves identifying pages or posts containing malicious script injections within the `ez-toc` shortcode attributes.
To detect this on your system, you can scan WordPress posts and pages for suspicious script tags or unusual JavaScript code embedded in the content generated by the Easy Table of Contents plugin, especially within shortcode attributes.
Suggested commands or methods include:
- Use WP-CLI to search post content for suspicious script tags: `wp post list --post_type=post --format=ids | xargs -I % wp post get % --field=post_content | grep -i '<script'`
- Search the WordPress database directly for script injections in posts: `SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%<script%' AND post_content LIKE '%[ez-toc%'`
- Monitor HTTP traffic for suspicious payloads or script injections in pages that include the Easy Table of Contents shortcode.
Note that no specific detection commands or tools are detailed in the provided resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Easy Table of Contents plugin to version 2.0.79 or later, where the vulnerability has been fixed.
This update addresses the Stored Cross-Site Scripting vulnerability by improving input sanitization and output escaping for the `ez-toc` shortcode attributes, preventing authenticated contributors and above from injecting malicious scripts.
- Immediately upgrade the Easy Table of Contents plugin to version 2.0.79 or newer.
- Restrict contributor-level access and above to trusted users until the patch is applied.
- Review existing posts and pages for any injected malicious scripts and remove them.
Additional general security best practices include regularly updating WordPress core, themes, and plugins, and monitoring user roles and permissions.