The vulnerability arises from a Cross‑Site Request Forgery flaw in the Site Table of Contents plugin that allows an attacker to inject malicious JavaScript into the plugin’s stored data. This stored XSS can be carried out when a victim performs a forged request, causing the injected script to execute whenever the compromised content is displayed to any visitor. The potential impact includes session hijacking, credential theft, or unauthorized actions performed in the victim’s context. The weakness is identified as CWE‑352, a cross‑site request forgery for which stored XSS is a likely consequence.

The Site Table of Contents plugin from the vendor intelcaprep, in all releases up to and including version 0.3, is affected. No additional version details are available beyond the upper bound of 0.3.

The CVSS score of 7.1 categorises this issue as high severity. The EPSS score of less than 1% indicates that exploitation is currently unlikely, and the vulnerability is not catalogued in CISA’s KEV list. Inferred from the description, the attack requires a user to be authenticated and to submit a forged request, which means the risk is limited to users with sufficient privileges. Nevertheless, because the flaw results in stored XSS, an attacker can potentially impact any user who views the affected content.