CVE-2024-2218 in LuckyWP Table of Contents Plugin
Summary
by MITRE • 06/14/2024
The LuckyWP Table of Contents WordPress plugin through 2.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/23/2025
The LuckyWP Table of Contents WordPress plugin version 2.1.4 and earlier contains a critical stored cross-site scripting vulnerability that affects high-privilege users including administrators. This vulnerability stems from insufficient sanitization and escaping of user input within the plugin's settings handling mechanism. The flaw specifically impacts environments where the unfiltered_html capability is restricted, such as multisite WordPress installations, making it particularly dangerous in shared hosting or enterprise environments where security policies are strictly enforced. The vulnerability allows authenticated attackers with administrative privileges to inject malicious scripts that persist in the plugin's configuration settings and execute whenever the affected page is loaded.
The technical implementation of this vulnerability occurs within the plugin's settings processing logic where user-provided input is stored without proper sanitization before being rendered back to users. This creates a classic stored XSS vector where malicious payloads can be embedded in plugin configuration fields and executed in the context of other users' browsers who access pages utilizing the plugin. The vulnerability is particularly concerning because it operates despite the presence of WordPress security measures designed to prevent unfiltered HTML input, demonstrating a failure in the plugin's input validation and output escaping mechanisms. Attackers can leverage this weakness to execute arbitrary JavaScript code, potentially leading to session hijacking, data exfiltration, or privilege escalation within the WordPress environment.
The operational impact of this vulnerability extends beyond simple script execution as it represents a significant threat to WordPress site integrity and user security. In multisite configurations where administrative privileges are commonly shared across multiple sites, a successful exploitation could compromise entire network ecosystems. The stored nature of the vulnerability means that malicious scripts remain persistent until manually removed from the plugin settings, providing attackers with extended periods of access and the ability to establish more sophisticated attack vectors. This vulnerability directly maps to CWE-79 which defines cross-site scripting flaws, and aligns with ATT&CK technique T1546.001 for modifying registry run keys and T1566.001 for credential access through phishing, as attackers could use the XSS to capture user sessions or harvest credentials from compromised users.
Mitigation strategies should focus on immediate plugin updates to versions that address the sanitization issues, alongside implementing additional security measures such as restricting administrative privileges to only essential personnel and monitoring plugin configuration changes. Organizations should also consider implementing Content Security Policy headers to limit script execution and regular security audits of installed plugins to identify similar vulnerabilities. The vulnerability highlights the critical importance of proper input sanitization and output escaping in web applications, particularly in WordPress plugins that handle user configuration data, as these components often serve as attack vectors for sophisticated compromise attempts.