CVE-2025-23651: 
WordPress vulnerability analysis and mitigation

The Scroll Top WordPress plugin is affected by a Reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-23651. This security flaw affects all versions of the plugin up to and including version 1.3.3. The vulnerability was discovered by SOPROBRO and publicly disclosed on January 16, 2025 (Patchstack, WPScan).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 Base Score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's code (Patchstack).

This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute when users perform specific actions, such as clicking on a malicious link. The successful exploitation could lead to the compromise of user sessions, injection of malicious content, or theft of sensitive information (WPScan).

Currently, there is no known fix available for this vulnerability. Website administrators using the affected plugin versions should consider either removing the plugin or implementing additional security controls to mitigate the risk of XSS attacks (WPScan).