The vulnerability is an Improper Neutralization of Input During Web Page Generation that allows Reflected Cross‑Site Scripting (XSS) in the Markbeljaars Table of Contents Creator plugin. When the plugin receives user‑supplied data through certain request parameters, it fails to escape the input before rendering the page, causing malicious script to be reflected back to the browser. The weakness is identified as CWE‑79 and can enable an attacker to inject and execute arbitrary JavaScript in the context of a victim’s browser session.

All installations of Markbeljaars Table of Contents Creator up to and including version 1.6.4.1 are affected. The supplier’s product list confirms Markbeljaars:Table of Contents Creator, and the description states "from n/a through 1.6.4.1." Accordingly, any WordPress site running this plugin at or below that version is vulnerable.

The CVSS score of 7.1 indicates medium‑to‑high severity. EPSS data is not available and the flaw is not listed in KEV, suggesting limited known exploitation. The likely attack vector involves a crafted URL that includes malicious input; a user who visits the URL will have the script executed in their browser. This requires user interaction but can be leveraged through social engineering or phishing to deliver the payload. Prompt patching is recommended due to the medium‑to‑high risk level.