CVE-2023-6487 in LuckyWP Table of Contents Plugin
Summary
by MITRE • 05/22/2024
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Header Title' field in all versions up to and including 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/29/2025
The LuckyWP Table of Contents plugin for WordPress presents a significant security vulnerability classified as CVE-2023-6487, which manifests as a stored cross-site scripting flaw in versions up to and including 214. This vulnerability specifically targets the 'Header Title' field within the plugin's functionality, creating a persistent threat that can compromise user sessions and execute malicious code within the context of affected websites. The flaw represents a critical weakness in the plugin's input validation mechanisms, where insufficient sanitization allows attackers to embed malicious scripts that persist in the database and execute whenever affected pages are accessed.
The technical exploitation of this vulnerability occurs through the manipulation of the Header Title field, which serves as an entry point for injecting malicious JavaScript code. This stored XSS vulnerability operates under the CWE-79 principle of cross-site scripting, where the plugin fails to properly escape output before rendering user-supplied content. The vulnerability requires authenticated access with administrator privileges, which aligns with ATT&CK technique T1078.004 for valid accounts and T1548.001 for privilege escalation. Attackers leveraging this vulnerability can craft malicious header titles that contain script tags or other malicious payloads, which then execute in the browsers of unsuspecting users who access pages containing the injected content.
The operational impact of CVE-2023-6487 extends beyond simple script execution, as it enables attackers to potentially hijack user sessions, steal sensitive information, manipulate website content, or redirect users to malicious domains. This vulnerability particularly affects multi-site WordPress installations, where the attack surface expands due to the interconnected nature of networked sites. The restriction to installations where unfiltered_html has been disabled suggests that the vulnerability may be mitigated through proper WordPress security configurations, though this does not eliminate the risk entirely. The persistent nature of stored XSS means that once injected, malicious scripts will execute every time affected pages are loaded, creating a continuous threat vector for all users who access compromised content.
Mitigation strategies for CVE-2023-6487 should prioritize immediate plugin updates to versions that address the sanitization and escaping deficiencies. Organizations should implement comprehensive input validation and output escaping mechanisms, following OWASP recommendations for XSS prevention. The principle of least privilege should be enforced, limiting administrator access to only necessary personnel and implementing multi-factor authentication to reduce the risk of credential compromise. Network monitoring should be enhanced to detect unusual script execution patterns, while regular security audits should verify proper sanitization of user inputs across all WordPress plugins and themes. Additionally, implementing Content Security Policy headers can provide an additional layer of protection against script execution, though this should complement rather than replace proper input sanitization measures.