CVE-2025-68836

Vulnerability

Overview

The Table of Contents Creator plugin for WordPress, versions from n/a through 1.6.4.1, contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into a page, which is then executed in the browser of a victim who visits a specially crafted link.

Exploitation

Requirements

Exploitation requires user interaction—a privileged user (such as an administrator) must click a malicious link, visit a crafted page, or submit a form [1]. The attacker does not need prior authentication but relies on tricking an authenticated user into performing the action. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

Successful exploitation allows the attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, which execute when guests visit the affected site [1]. This can lead to defacement, phishing, or theft of session cookies and credentials, potentially compromising the entire WordPress installation.

Mitigation

As of the publication date, no official patch has been released for version 1.6.4.1. The recommended immediate action is to update the plugin as soon as a patched version becomes available [1]. If updating is not possible, users should contact their hosting provider or web developer for assistance. Patchstack has issued a mitigation rule to block attacks until an official patch can be safely applied [1].