CVE-2025-68836

| EUVD-2025-208867 HIGH
2026-03-19 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 19, 2026 - 09:22 vuln.today
EUVD ID Assigned
Mar 19, 2026 - 09:22 euvd
EUVD-2025-208867
CVE Published
Mar 19, 2026 - 09:16 nvd
HIGH 7.1

Tags

XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Markbeljaars Table of Contents Creator allows Reflected XSS.This issue affects Table of Contents Creator: from n/a through 1.6.4.1.

Analysis

A reflected cross-site scripting (XSS) vulnerability exists in the Table of Contents Creator WordPress plugin that allows attackers to inject malicious scripts into web pages. The vulnerability affects all versions through 1.6.4.1 and can be exploited remotely without authentication, though it requires user interaction. With a CVSS score of 7.1 and a changed scope, this represents a moderate severity issue reported by Patchstack's audit team.

Technical Context

This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a fundamental input validation flaw where user-supplied data is incorporated into HTML output without proper sanitization or encoding. The Table of Contents Creator plugin for WordPress fails to properly validate and sanitize input parameters before reflecting them back in HTTP responses, allowing attackers to inject arbitrary JavaScript code. The reflected XSS variant means the malicious payload is not stored persistently but must be delivered to victims through crafted URLs or forms. The CVSS vector indicates network-based exploitation (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but necessitating user interaction (UI:R), with a changed scope (S:C) meaning the vulnerable component impacts resources beyond its security scope.

Affected Products

The vulnerability affects the Table of Contents Creator WordPress plugin by Markbeljaars, specifically all versions from the initial release through version 1.6.4.1. The Patchstack vulnerability database entry confirms this version range at https://patchstack.com/database/wordpress/plugin/table-of-contents-creator/vulnerability/wordpress-table-of-contents-creator-plugin-1-6-4-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. WordPress installations with this plugin enabled are potentially vulnerable to reflected XSS attacks, regardless of the underlying WordPress core version.

Remediation

Upgrade the Table of Contents Creator plugin to a version newer than 1.6.4.1 that addresses this vulnerability, checking the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/table-of-contents-creator/vulnerability/wordpress-table-of-contents-creator-plugin-1-6-4-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for the specific patched version. If an immediate update is not feasible, consider temporarily disabling the plugin until a patch can be applied, or implement Web Application Firewall (WAF) rules to filter potentially malicious input parameters associated with the plugin's functionality. Organizations should also review user education programs to minimize the risk of users clicking suspicious links, and implement Content Security Policy (CSP) headers to mitigate the impact of successful XSS attacks.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2025-68836 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy