CVE-2025-2299

Summary

CVE-2025-2299 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the LuckyWP Table of Contents plugin for WordPress. Versions up to and including 2.1.10 are impacted. The vulnerability arises due to missing or incorrect nonce validation on the 'ajaxEdit' function, enabling unauthenticated attackers to inject arbitrary web scripts if they successfully trick a site administrator into performing a specific action, such as clicking a malicious link. This could potentially lead to serious security consequences, including unauthorized updates or unintended changes to plugin settings. It is recommended that users update to the latest version of the plugin to mitigate this risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.