WordPress Plugin Vulnerability Report – Table of Contents Plus – Authenticated (Administrator+) Stored Cross-Site Scripting

Plugin Name: Table of Contents Plus

Key Information:

  • Software Type: Plugin
  • Software Slug: table-of-contents-plus
  • Software Status: Active
  • Software Author: conjur3r
  • Software Downloads: 2,261,612
  • Active Installs: 300,000
  • Last Updated: September 19, 2023
  • Patched Versions: 2309
  • Affected Versions: <2309

Vulnerability Details:

  • Name: Table of Contents Plus <= 2302 - Authenticated (Administrator+) Stored Cross-Site Scripting
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVSS Score: 4.4 (medium)
  • Publicly Published: September 19, 2023
  • Description: The Table of Contents Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2302 due to insufficient input sanitization and output escaping.


The Table of Contents Plus plugin for WordPress has a vulnerability in versions up to and including 2302 that allows for Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This vulnerability has been patched in version 2309.

Detailed Overview:

The vulnerability is classified as "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" and has received a CVSS score of 4.4, categorizing it as a medium-level threat. The issue lies in the plugin's admin settings where insufficient input sanitization and output escaping occur. Consequently, attackers who have administrative-level permissions or higher can inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. It's worth noting that this vulnerability primarily affects multi-site installations and installations where unfiltered_html has been disabled.

Advice for Users:

  • Immediate Action: Users are encouraged to update to version 2309 immediately to mitigate this vulnerability.
  • Check for Signs of Vulnerability: Users can look for unauthorized changes to their website's content or configuration settings as an indication that their site may have been compromised.
  • Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  • Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.


The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 2309 or later to secure their WordPress installations.


Detailed Report:

If you run a WordPress website, a recently disclosed vulnerability in a widely used plugin should be on your radar. The Table of Contents Plus plugin, installed on over 300,000 sites, is susceptible to a stored cross-site scripting (XSS) vulnerability in versions up to and including 2302. While a patch has been released, neglecting to update leaves your site exposed. In this post, we’ll break down the details of this vulnerability, how it can be exploited, and the steps you should take to lock down your website.

The Table of Contents Plus plugin, created by conjur3r, is used to automatically generate and display a table of contents on pages and posts. It has over 2 million downloads across WordPress repositories. Unfortunately, earlier versions fail to properly sanitize and escape admin settings input, enabling attackers to inject malicious scripts. With over 300,000 active installs vulnerable, it’s critical for site owners to take action.

Stored XSS vulnerabilities allow hackers to embed malicious code that gets executed when users load affected pages. By gaining admin access, attackers can insert JavaScript or other scripts into your pages and posts. When visitors open these pages, the scripts will run, enabling actions like stealing cookies, hijacking sessions, or installing malware.

While this vulnerability primarily threatens sites where unfiltered HTML input is enabled, the risk extends to all users. Even if you have restrictive security policies, sites are still exposed if any higher privileged users have the ability to add scripts.

To mitigate this vulnerability, site owners should immediately update to version 2309 or higher, which includes proper sanitization protections. You can find update details here. Be sure to check your site for any unauthorized code or content changes after updating. Also consider installing an alternate table of contents plugin for extra security.

This is the second disclosed vulnerability for this plugin since December 2022, illustrating the importance of staying on top of updates. The plugin authors have acted responsibly in developing and distributing a patch. However, the task ultimately falls on site owners to implement it.

Keeping your WordPress site secure requires ongoing maintenance—a responsibility that can be difficult for busy small business owners. But with cyber threats on the rise, it’s critically important. We recommend auditing your installed plugins and themes regularly to check for newly disclosed vulnerabilities. Enable automatic updates wherever possible. And consider partnering with a managed WordPress host or developer to offload security upkeep.

With the proper precautions, you can feel confident your website is locked down. Don’t leave the door open to threats. Take action now to update vulnerable plugins. Your site’s security depends on it.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

WordPress Plugin Vulnerability Report – Table of Contents Plus – Authenticated (Administrator+) Stored Cross-Site Scripting FAQs

Leave a Comment