{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2299", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-13T23:09:22.538Z", "datePublished": "2025-04-03T11:12:30.588Z", "dateUpdated": "2026-04-08T17:04:03.545Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:03.545Z"}, "affected": [{"vendor": "theluckywp", "product": "LuckyWP Table of Contents", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.10. This is due to missing or incorrect nonce validation on the 'ajaxEdit' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "LuckyWP Table of Contents <= 2.1.10 - Cross-Site Request Forgery to Reflected Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/82df5b2e-4c4a-402f-99c9-694fa710009b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/luckywp-table-of-contents/trunk/admin/controllers/EditorBlockController.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/luckywp-table-of-contents/trunk/admin/widgets/customizeSuccess/views/widget.php#L12"}, {"url": "https://plugins.trac.wordpress.org/changeset/3265169/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-04-02T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-03T13:17:06.503326Z", "id": "CVE-2025-2299", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-03T13:17:30.399Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2299", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-03T13:17:06.503326Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-03T13:17:22.740Z"}}], "cna": {"title": "LuckyWP Table of Contents <= 2.1.10 - Cross-Site Request Forgery to Reflected Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "theluckywp", "product": "LuckyWP Table of Contents", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-02T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/82df5b2e-4c4a-402f-99c9-694fa710009b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/luckywp-table-of-contents/trunk/admin/controllers/EditorBlockController.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/luckywp-table-of-contents/trunk/admin/widgets/customizeSuccess/views/widget.php#L12"}, {"url": "https://plugins.trac.wordpress.org/changeset/3265169/"}], "descriptions": [{"lang": "en", "value": "The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.10. This is due to missing or incorrect nonce validation on the 'ajaxEdit' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:03.545Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2299", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:03.545Z", "dateReserved": "2025-03-13T23:09:22.538Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-03T11:12:30.588Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:theluckywp:luckywp_table_of_contents:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "DB99AC9B-AA0C-4CAB-BCAF-01360F95AEC0", "versionEndExcluding": "2.1.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.10. This is due to missing or incorrect nonce validation on the 'ajaxEdit' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento LuckyWP Table of Contents para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 2.1.10 incluida. Esto se debe a la falta o a una validaci\u00f3n incorrecta de nonce en la funci\u00f3n 'ajaxEdit'. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-2299", "lastModified": "2025-05-15T19:54:41.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-03T12:15:14.920", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/luckywp-table-of-contents/trunk/admin/controllers/EditorBlockController.php#L30"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/luckywp-table-of-contents/trunk/admin/widgets/customizeSuccess/views/widget.php#L12"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3265169/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/82df5b2e-4c4a-402f-99c9-694fa710009b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:29:47.239690+00:00", "value": {"mitigation_remediation": ["Upgrade LuckyWP Table of Contents to a version beyond 2.1.10, which contains the missing nonce validation.", "If an upgrade is not immediately possible, temporarily disable or remove the plugin to stop the exposed ajaxEdit endpoint from being reachable.", "Ensure that administrative accounts are protected with strong authentication and monitor for suspicious admin activity to reduce the chance of a social\u2011engineering trigger."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Request Forgery leading to Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites using the LuckyWP Table of Contents plugin, any version up to and including 2.1.10. The vulnerability affects all installations that route the ajaxEdit endpoint through this plugin without proper nonce verification.", "description_and_impact": "The LuckyWP Table of Contents plugin for WordPress contains a flaw in the ajaxEdit function where nonce validation is missing or incorrect. This results in a Cross\u2011Site Request Forgery (CWE\u2011352) that allows an unauthenticated attacker to send forged requests to the plugin. If an administrator is tricked into executing such a request, an attacker can inject arbitrary JavaScript, creating a Reflected Cross\u2011Site Scripting vulnerability (CWE\u201179). The impact is that the injected script runs in the context of the site administrator, potentially leaking credentials or defacing the site.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. The EPSS score is less than 1\u202f%, showing a low probability of current exploitation, and the vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Nonetheless, the attack vector relies on social engineering \u2013 an attacker must convince an administrator to click a malicious link or otherwise trigger the forged request. While exploitation risk appears moderate, a successful attack would give an attacker JavaScript execution privileges in the admin\u2019s browser context."}}}}, "created": "2026-04-21T21:30:45.749875+00:00", "updated": "2026-04-21T21:30:45.749885+00:00", "vendors": []}