cleantalk
Vulnerabilities and Security Researches

LuckyWP Table of Contents, CVE-2025-2299

CVE, Research URL

CVE-2025-2299

Home page URL

Security reports for LuckyWP Table of Contents

Application

LuckyWP Table of Contents

Published on
Apr 03, 2025
Research Description
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.10. This is due to missing or incorrect nonce validation on the 'ajaxEdit' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
Min -, max 2.1.11.
Status
vulnerable
Previous vulnerability researches
Church Admin (CVE-2024-50438) , Oct 28, 2024
Church Admin (CVE-2024-37440) , Jul 02, 2024
Church Admin (CVE-2024-53795) , Dec 08, 2024
Church Admin (CVE-2025-26941) , Mar 28, 2025
Church Admin (CVE-2024-37418) , Jul 08, 2024
New vulnerability
Social Crowd (CVE-2025-31390) , Apr 11, 2025
Review Stream (CVE-2025-32680) , Apr 11, 2025
MMX – Make Me Christmas (CVE-2025-31401) , Apr 11, 2025
Site Table of Contents (CVE-2025-31385) , Apr 11, 2025
Nepali Date Utilities (CVE-2025-32664) , Apr 11, 2025