CVE-2024-5029: 
WordPress vulnerability analysis and mitigation

The CM Table Of Contents WordPress plugin before version 1.2.4 contains a vulnerability identified as CVE-2024-5029. The vulnerability was discovered and publicly disclosed on October 31, 2024. The issue affects the plugin's settings update functionality, which lacks proper security controls (WPScan).

The vulnerability combines multiple security issues: a Cross-Site Request Forgery (CSRF) vulnerability in the settings update functionality, missing input sanitization, and inadequate output escaping. Version 1.2.3 partially addressed the issue by implementing CSRF protection, but still lacked proper escaping of settings. The vulnerability has been assigned a CVSS 3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

If successfully exploited, this vulnerability could allow attackers to inject stored Cross-Site Scripting (XSS) payloads into the plugin's settings through a CSRF attack. This could potentially lead to the execution of malicious JavaScript code in the context of authenticated administrators viewing the affected pages (WPScan).

The vulnerability has been fixed in version 1.2.4 of the CM Table Of Contents WordPress plugin. Site administrators are strongly advised to update to this latest version to protect against potential attacks (WPScan).