35 matches found
CVE-2024-2218
The LuckyWP Table of Contents WordPress plugin through 2.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2023-6487
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Header Title' field in all versions up to and including 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-2299
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.10. This is due to missing or incorrect nonce validation on the 'ajaxEdit' function. This makes it possible for unauthenticated attackers to inject arbitrary we...
CVE-2025-2299
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.10. This is due to missing or incorrect nonce validation on the 'ajaxEdit' function. This makes it possible for unauthenticated attackers to inject arbitrary we...
CVE-2025-2299
CVE-2025-2299: The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) via the ajaxEdit function in versions up to 2.1.10. The root cause is missing or incorrect nonce validation, enabling unauthenticated attacker...
CVE-2025-2299 LuckyWP Table of Contents <= 2.1.10 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.10. This is due to missing or incorrect nonce validation on the 'ajaxEdit' function. This makes it possible for unauthenticated attackers to inject arbitrary we...
CVE-2025-2299 LuckyWP Table of Contents <= 2.1.10 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.10. This is due to missing or incorrect nonce validation on the 'ajaxEdit' function. This makes it possible for unauthenticated attackers to inject arbitrary we...
WordPress LuckyWP Table of Contents plugin <= 2.1.10 - Cross-Site Request Forgery to Reflected Cross-Site Scripting vulnerability
Cross-Site Request Forgery to Reflected Cross-Site Scripting vulnerability discovered by mikemyers in WordPress Plugin LuckyWP Table of Contents versions = 2.1.10...
PT-2025-14608 · WordPress · Luckywp Table Of Contents
Name of the Vulnerable Software and Affected Versions: LuckyWP Table of Contents plugin for WordPress versions up to, and including, 2.1.10 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the ajaxEdit function. This allows...
CVE-2024-9641
The LuckyWP Table of Contents WordPress plugin before 2.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-9641
The LuckyWP Table of Contents WordPress plugin before 2.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-9641
CVE-2024-9641 affects LuckyWP Table of Contents for WordPress, prior to version 2.1.7. The issue is stored cross-site scripting (XSS) arising from insufficient sanitization/escaping of certain plugin settings, enabling high-privilege users (e.g., admins) to inject scripts even when unfiltered_htm...
CVE-2024-9641 LuckyWP Table of Contents < 2.1.7 - Admin+ Stored XSS
The LuckyWP Table of Contents WordPress plugin before 2.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
PT-2024-39734 · WordPress · Luckywp Table Of Contents
Name of the Vulnerable Software and Affected Versions: LuckyWP Table of Contents versions prior to 2.1.7 Description: The issue concerns the LuckyWP Table of Contents WordPress plugin, which does not properly sanitise and escape some of its settings. This could allow high privilege users, such as...
CVE-2024-2218 LuckyWP Table of Contents <= 2.1.4 - Admin+ Stored XSS
The LuckyWP Table of Contents WordPress plugin through 2.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-2218
The CVE-2024-2218 issue affects the LuckyWP Table of Contents WordPress plugin up to version 2.1.4, where settings sanitization/escaping is insufficient, enabling admin-level Stored XSS in multisite or when unfiltered_html is disabled. Root cause: inadequate input sanitization/escapes in certain ...
WordPress LuckyWP Table of Contents Plugin <= 2.1.5 is vulnerable to Cross Site Scripting (XSS)
Software LuckyWP Table of Contents Type Plugin Vulnerable versions = 2.1.5 Fixed in 2.1.6 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-2218 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID f253e02e4fa4 Credits Sławomir...
LuckyWP Table of Contents <= 2.1.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Request: POST...
WordPress LuckyWP Table of Contents Plugin <= 2.1.4 is vulnerable to Cross Site Scripting (XSS)
Software LuckyWP Table of Contents Type Plugin Vulnerable versions = 2.1.4 Fixed in 2.1.5 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-6487 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 87218af4d164 Credits Akbar Kustiram...
CVE-2024-2953
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor permissio...