Easy Table of Contents < 2.0.79 – Contributor+ Stored XSS | CVE 2025-13738 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

easy-table-of-contents

Fixed in 2.0.79

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7205c238-4419-4292-8f9c-4ccf5b69dd60

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Jack Taylor

Verified

No

WPVDB ID

f76be989-8eda-41ea-9e22-ac0c35f675bd

Timeline

Publicly Published

2026-02-18 (about 2 months ago)

Added

2026-02-18 (about 2 months ago)

Last Updated

2026-02-18 (about 2 months ago)

Other

Published

Title

Published

2023-04-03

Title

Magic Post Thumbnail < 4.1.11 - Reflected XSS

Published

2017-07-31

Title

Event List < 0.7.10 - XSS

Published

2023-06-05

Title

Ultimate Product Catalog < 5.2.6 - Admin+ Stored XSS

Published

2025-10-26

Title

SimpLy Gallery < 3.3.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-05-30

Title

Responsive video embed < 0.5.1 - Contributor+ Stored XSS