Attack Vectors

Easy Table of Contents (slug: easy-table-of-contents) is affected by a Medium-severity stored cross-site scripting (XSS) vulnerability (CVE-2025-13738, CVSS 6.4) in versions up to and including 2.0.78. The issue is tied to the plugin’s ez-toc shortcode, where user-supplied attributes are not sufficiently sanitized and escaped.

The most important business-facing risk is that an authenticated user with Contributor-level access or higher can embed malicious script content into a page using the shortcode. That script can then run automatically when anyone views the affected page, including executives, customers, partners, or employees—without requiring them to click anything.

Security Weakness

The root weakness is insufficient input sanitization and output escaping for shortcode attributes in the Easy Table of Contents plugin. This allows stored content to be saved in the site database and later rendered in visitors’ browsers as active script, rather than safe text.

Because it is stored, the malicious content can persist across sessions and affect multiple visitors over time. This also means the impact is not limited to a single user account—anyone who can view the compromised page can be exposed.

Technical or Business Impacts

Stored XSS can be used to undermine trust and disrupt business operations. Depending on what is injected and who views it, outcomes can include: unauthorized actions taken in a logged-in user’s browser session, theft of information available in the browser context, defacement of high-visibility pages, manipulation of form submissions, or redirection to malicious content.

For marketing directors and business leaders, the largest risks often show up as brand damage (customers seeing tampered content), compliance exposure (security incidents involving user data or tracking), and revenue impact (lost conversions or campaigns paused during incident response). This vulnerability is rated Medium (CVSS 6.4), but it can still have outsized consequences when exploited on high-traffic landing pages or authenticated areas used by staff.

Remediation: update Easy Table of Contents to version 2.0.79 or a newer patched version. Track details under CVE-2025-13738 and the vendor advisory source at Wordfence Threat Intel.

Similar Attacks

Stored XSS is a common web application issue and has been widely exploited across platforms and plugins. For reference, here are a few real examples of XSS vulnerabilities and related incidents affecting widely used software:

CISA Known Exploited Vulnerabilities Catalog (includes multiple XSS cases)
CVE-2023-34362 (MOVEit Transfer; widely exploited campaign)
CVE-2021-44228 (Log4Shell; illustrates how “software component” flaws create broad business risk)