Go To Top CVE-2025-28922
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Terence D. Go To Top allows Stored XSS. This issue affects Go To Top: from n/a through 0.0.8.
AnalysisAI
CSRF vulnerability in the Go To Top WordPress plugin through version 0.0.8 enables attackers to store malicious JavaScript via cross-site request forgery. An authenticated administrator or privileged user can be tricked into executing a forged request that injects persistent XSS payloads into the plugin's settings or content areas. The CVSS score of 7.1 reflects changed scope and multi-step exploitation requirements (CSRF leading to stored XSS). EPSS score of 0.05% (14th percentile) indicates very low probability of mass exploitation, consistent with a targeted attack against WordPress administrators requiring social engineering.
Technical ContextAI
This is a chained vulnerability (CWE-352 CSRF) in a WordPress plugin that allows stored cross-site scripting. The Go To Top plugin likely provides administrative settings for configuring scroll-to-top button behavior. The vulnerability exists because the plugin fails to validate CSRF tokens on state-changing requests that accept user input, and also lacks proper sanitization of that input before storage. When combined, an attacker can craft a malicious webpage containing a hidden form that submits to the vulnerable plugin endpoint. If an authenticated WordPress admin visits the attacker's page while logged in, their browser automatically submits the forged request with valid session cookies, injecting malicious JavaScript that executes whenever the affected page/component is rendered. The changed scope (S:C) in the CVSS vector indicates the XSS can affect resources beyond the vulnerable plugin's security context, potentially compromising the entire WordPress site.
Affected ProductsAI
WordPress Go To Top plugin versions from earliest available release through 0.0.8 are confirmed vulnerable per Patchstack database advisory. The plugin is developed by Terence D. and distributed through the official WordPress.org plugin repository. All WordPress installations running Go To Top plugin version 0.0.8 or earlier are affected regardless of WordPress core version. The vulnerability exists in the plugin's administrative interface where CSRF protections and input sanitization are absent. Full advisory available at Patchstack: https://patchstack.com/database/wordpress/plugin/go-to-top/vulnerability/wordpress-go-to-top-plugin-0-0-8-csrf-to-stored-xss-vulnerability?_s_id=cve
RemediationAI
Immediately update Go To Top plugin to version 0.0.9 or later if available, or remove the plugin entirely if patched version is not confirmed. Check the WordPress plugin repository or Patchstack advisory for the officially released fix version. As of this analysis, the Patchstack reference confirms the vulnerability in version 0.0.8 but does not explicitly state a patched version number-verify with the WordPress plugin repository before deploying. If no patch is available and the plugin is non-critical, deactivate and delete it from WordPress admin dashboard under Plugins menu. If the scroll-to-top functionality is required, substitute with an alternative plugin that has recent security audits. Compensating controls while awaiting patch: restrict WordPress admin panel access to trusted IP addresses via .htaccess or firewall rules (trade-off: reduces mobility for legitimate admins); implement Content Security Policy headers to limit XSS execution scope (does not prevent storage of malicious scripts but reduces impact); educate administrators not to click external links while logged into WordPress admin panel. Review plugin settings and database entries for suspicious JavaScript in Go To Top configuration tables after applying fixes.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today