Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRUDLab CRUDLab Scroll to Top crudlab-scroll-to-top allows Reflected XSS.This issue affects CRUDLab Scroll to Top: from n/a through <= 1.0.1.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper neutralization of user input during web page generation in the CRUDLab Scroll to Top WordPress plugin, allowing reflected cross‑site scripting. When a user visits a crafted URL that contains malicious payload data, the script is executed in the victim’s browser within the site’s context, enabling an attacker to run arbitrary client‑side code.

Affected Systems

All installations of the CRUDLab Scroll to Top plugin from the initial release through version 1.0.1 are affected. The plugin is distributed by CRUDLab and functions within any WordPress site; any user can trigger the flaw by supplying malicious input.

Risk and Exploitability

The CVSS base score of 7.1 indicates moderate to high severity. The EPSS score is below 1 %, suggesting a low current probability of exploitation, and the issue is not listed in the CISA KEV catalog. Reflective XSS can be triggered by unauthenticated users and may be used in phishing or social‑engineering attacks, making it potentially impactful even with a low exploitation probability.

Generated by OpenCVE AI on May 2, 2026 at 02:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CRUDLab Scroll to Top plugin to a version newer than 1.0.1; if no newer version is available, disable or uninstall the plugin.
  • Deploy a web application firewall rule that detects and blocks script tags or malicious query parameters in responses generated by the plugin.
  • If upgrading or disabling is not immediately possible, ensure that any plugin‑generated output containing user input is properly encoded or sanitized; as a temporary workaround, remove the scroll‑to‑top feature from the site’s settings if such an option exists.

Generated by OpenCVE AI on May 2, 2026 at 02:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11604 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRUDLab CRUDLab Scroll to Top allows Reflected XSS. This issue affects CRUDLab Scroll to Top: from n/a through 1.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRUDLab CRUDLab Scroll to Top allows Reflected XSS. This issue affects CRUDLab Scroll to Top: from n/a through 1.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRUDLab CRUDLab Scroll to Top crudlab-scroll-to-top allows Reflected XSS.This issue affects CRUDLab Scroll to Top: from n/a through <= 1.0.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRUDLab CRUDLab Scroll to Top allows Reflected XSS. This issue affects CRUDLab Scroll to Top: from n/a through 1.0.1.
Title WordPress CRUDLab Scroll to Top Plugin <= 1.0.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:07.014Z

Reserved: 2025-01-07T21:04:56.181Z

Link: CVE-2025-22774

cve-icon Vulnrichment

Updated: 2025-04-17T15:48:13.325Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:29.437

Modified: 2026-06-17T08:49:57.857

Link: CVE-2025-22774

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:15:31Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')