WordPress Plugin Vulnerabilities

LuckyWP Table of Contents < 2.1.5 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting via multiple parameters due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
luckywp-table-of-contents
Fixed in 2.1.5

References

CVE
CVE-2024-2953
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b12c0524-d991-4f96-8646-f4203880558c

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Ivan Kuzymchak
Verified
No
WPVDB ID
bb7dc9f5-00ea-4626-b0f0-6050c054b1c2

Timeline

Publicly Published
2024-05-21 (about 2 years ago)
Added
2024-05-21 (about 2 years ago)
Last Updated
2024-10-28 (about 1 year ago)

Other

Published
Title
Published
2021-01-12
Title
Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Stored Cross Site Scripting
Published
2024-10-28
Title
Ninja Forms < 3.8.18 - Admin+ Stored XSS
Published
2024-06-22
Title
WP Affiliate Platform < 6.5.1 - Profile Update via CSRF
Published
2025-03-27
Title
LeadConnector < 3.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2013-08-26
Title
Contact Form 3.34 - contact_form.php cntctfrm_contact_message Parameter XSS