Description
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.10. This is due to missing or incorrect nonce validation on the 'ajaxEdit' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-04-03
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery leading to Reflected Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The LuckyWP Table of Contents plugin for WordPress contains a flaw in the ajaxEdit function where nonce validation is missing or incorrect. This results in a Cross‑Site Request Forgery (CWE‑352) that allows an unauthenticated attacker to send forged requests to the plugin. If an administrator is tricked into executing such a request, an attacker can inject arbitrary JavaScript, creating a Reflected Cross‑Site Scripting vulnerability (CWE‑79). The impact is that the injected script runs in the context of the site administrator, potentially leaking credentials or defacing the site.

Affected Systems

WordPress sites using the LuckyWP Table of Contents plugin, any version up to and including 2.1.10. The vulnerability affects all installations that route the ajaxEdit endpoint through this plugin without proper nonce verification.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score is less than 1 %, showing a low probability of current exploitation, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Nonetheless, the attack vector relies on social engineering – an attacker must convince an administrator to click a malicious link or otherwise trigger the forged request. While exploitation risk appears moderate, a successful attack would give an attacker JavaScript execution privileges in the admin’s browser context.

Generated by OpenCVE AI on April 21, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LuckyWP Table of Contents to a version beyond 2.1.10, which contains the missing nonce validation.
  • If an upgrade is not immediately possible, temporarily disable or remove the plugin to stop the exposed ajaxEdit endpoint from being reachable.
  • Ensure that administrative accounts are protected with strong authentication and monitor for suspicious admin activity to reduce the chance of a social‑engineering trigger.

Generated by OpenCVE AI on April 21, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9603 The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.10. This is due to missing or incorrect nonce validation on the 'ajaxEdit' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Thu, 15 May 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Theluckywp
Theluckywp luckywp Table Of Contents
Weaknesses CWE-352
CPEs cpe:2.3:a:theluckywp:luckywp_table_of_contents:*:*:*:*:*:wordpress:*:*
Vendors & Products Theluckywp
Theluckywp luckywp Table Of Contents

Thu, 03 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 11:30:00 +0000

Type Values Removed Values Added
Description The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.10. This is due to missing or incorrect nonce validation on the 'ajaxEdit' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title LuckyWP Table of Contents <= 2.1.10 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Theluckywp Luckywp Table Of Contents
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:03.545Z

Reserved: 2025-03-13T23:09:22.538Z

Link: CVE-2025-2299

cve-icon Vulnrichment

Updated: 2025-04-03T13:17:22.740Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-03T12:15:14.920

Modified: 2025-05-15T19:54:41.610

Link: CVE-2025-2299

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses