Plattform
wordpress
Komponente
table-of-contents-creator
Behoben in
1.6.5
CVE-2025-68836 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the Table of Contents Creator WordPress plugin. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise or data theft. The vulnerability affects versions of the plugin from n/a up to and including 1.6.4.1, and a fix is available in version 1.6.4.1.
Successful exploitation of CVE-2025-68836 allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session. This can lead to a variety of malicious actions, including session hijacking, credential theft (e.g., stealing login cookies), redirection to phishing sites, and defacement of the website. The impact is amplified if the website handles sensitive user data or is used for critical business operations. The reflected nature of the XSS means the attacker needs to trick a user into clicking a malicious link, but once that occurs, the impact can be significant.
CVE-2025-68836 was publicly disclosed on 2026-03-19. While no public proof-of-concept (POC) code has been widely released, the ease of exploiting reflected XSS vulnerabilities suggests a moderate risk of exploitation. The vulnerability is not currently listed on CISA KEV. Attackers often target WordPress plugins due to their widespread use and potential for large-scale impact.
Websites using the Table of Contents Creator plugin, particularly those with user authentication or handling sensitive data, are at risk. Shared hosting environments where plugin updates are managed by the hosting provider may be particularly vulnerable if they haven't applied the update.
• wordpress / composer / npm:
grep -r "<script" /var/www/html/wp-content/plugins/table-of-contents-creator/• wordpress / composer / npm:
wp plugin list --status=all | grep "table-of-contents-creator"• wordpress / composer / npm:
wp plugin update table-of-contents-creatordisclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-68836 is to upgrade the Table of Contents Creator plugin to version 1.6.4.1 or later. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing input validation and output encoding on user-supplied data within the plugin. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of defense. Monitor web server access logs for suspicious URL patterns containing JavaScript code.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihres Unternehmens um. Es kann am besten sein, die betroffene Software zu deinstallieren und einen Ersatz zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68836 is a Reflected XSS vulnerability in the Table of Contents Creator WordPress plugin, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using Table of Contents Creator versions prior to 1.6.4.1. Upgrade immediately to mitigate the risk.
Upgrade the Table of Contents Creator plugin to version 1.6.4.1 or later. Consider input validation and WAF rules as additional protections.
There are currently no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the plugin developer's website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.