CVE-2025-13738 in Easy Table of Contents Plugin
Summary
by MITRE • 02/19/2026
The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/29/2026
The Easy Table of Contents plugin for WordPress represents a critical security vulnerability through its stored cross-site scripting flaw in version 2.0.78 and earlier. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's ez-toc shortcode implementation, creating a persistent threat vector that can be exploited by authenticated attackers possessing contributor-level privileges or higher. The flaw allows malicious actors to inject arbitrary web scripts into pages that will execute automatically whenever any user accesses those compromised pages, effectively transforming the plugin into a weapon for delivering malicious payloads to unsuspecting visitors.
The technical nature of this vulnerability places it firmly within the scope of CWE-79, which specifically addresses Cross-Site Scripting flaws in web applications. The weakness manifests through the plugin's failure to properly sanitize user-supplied attributes within the ez-toc shortcode, creating an environment where attacker-controlled input can be stored and subsequently executed without proper validation or escaping. This stored XSS vulnerability operates at the application layer and leverages the trust relationship between the WordPress platform and its plugins, making it particularly dangerous as it can persist across multiple user sessions and page views. The vulnerability's impact is amplified by the fact that it requires only contributor-level access, which represents a relatively low privilege threshold that many WordPress installations may not adequately protect against.
From an operational perspective, this vulnerability creates a significant risk for WordPress sites utilizing the Easy Table of Contents plugin, as it allows for persistent malicious code execution that can be used for various nefarious purposes including credential theft, session hijacking, defacement, or redirection to malicious sites. The attack vector is particularly concerning because it can be triggered by any user who accesses a page containing the maliciously injected shortcode, meaning that even casual visitors could become victims of the stored XSS attack. The vulnerability's persistence stems from the fact that the malicious scripts are stored within the WordPress database rather than existing only in transient HTTP requests, making it difficult to detect and remediate without thorough database inspection and cleanup.
The attack surface for this vulnerability aligns with the ATT&CK framework's technique T1566, which covers the execution of malicious code through various attack vectors including web-based attacks. Security practitioners should consider this vulnerability as part of their broader threat modeling efforts, particularly in environments where contributor-level access is granted to untrusted users. The remediation approach must include immediate plugin updates to versions that address the XSS vulnerability, along with comprehensive database scanning to identify and remove any previously injected malicious code. Organizations should also implement proper access controls to limit contributor privileges to trusted users only, and establish monitoring procedures to detect unusual shortcode usage patterns that might indicate exploitation attempts. Additionally, regular security audits of WordPress plugins and themes should be conducted to identify similar vulnerabilities that could potentially compromise the entire WordPress installation.