Cross-Site Request Forgery Vulnerability in LuckyWP Table of Contents Plugin for WordPress
CVE-2025-2299

6.1MEDIUM

Key Information:

Vendor

WordPress
Status
LuckyWP Table Of Contents
Vendor
CVE Published:
3 April 2025

What is CVE-2025-2299?

The LuckyWP Table of Contents plugin for WordPress allows unauthenticated attackers to exploit a Cross-Site Request Forgery (CSRF) vulnerability due to inadequate nonce validation in the 'ajaxEdit' function. This flaw can be exploited if a malicious actor tricks an administrator into clicking a specially crafted link, which can lead to the injection of arbitrary scripts on the site. This security issue affects all versions up to and including 2.1.10, necessitating immediate attention from users to mitigate potential risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

LuckyWP Table of Contents * <= 2.1.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/luckywp-table-...
https://plugins.trac.wordpress.org/browser/luckywp-table-...

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael Mazzolini
JSON
.