Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in adamskaat Scroll Top scroll-to-top-builder allows Reflected XSS.This issue affects Scroll Top: from n/a through <= 1.3.3.
Published: 2025-02-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user input during web page generation, classified as CWE‑79. An attacker can inject malicious JavaScript that will be reflected in the browser context of the victim when they visit a crafted URL. This allows the execution of arbitrary client‑side script, leading to cookie theft, session hijacking, defacement, or redirection, thereby compromising the confidentiality and integrity of the website and its users.

Affected Systems

The flaw exists in the adamskaat Scroll Top plugin for WordPress, specifically in all releases up to and including version 1.3.3. Systems using these versions are vulnerable until updated to a patched release.

Risk and Exploitability

The CVSS score of 7.1 places the issue in the high‑severity range. However, the EPSS score of less than 1 % indicates that observable exploitation actions are currently rare. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The attack path is likely via a crafted link or form that includes reflected data, making it easily exploitable by a threat actor with internet access targeting sites that host the affected plugin.

Generated by OpenCVE AI on May 1, 2026 at 16:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Scroll Top plugin to a version newer than 1.3.3 to address the stated XSS flaw.
  • If an update is not immediately possible, sanitize and escape all reflected user input in HTTP responses, ensuring that scripts are not executed by the browser.
  • Deploy or tighten a web application firewall rule set to block or filter common XSS payloads targeting the plugin’s input endpoints.

Generated by OpenCVE AI on May 1, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3315 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Scroll Top allows Reflected XSS. This issue affects Scroll Top: from n/a through 1.3.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Scroll Top allows Reflected XSS. This issue affects Scroll Top: from n/a through 1.3.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in adamskaat Scroll Top scroll-to-top-builder allows Reflected XSS.This issue affects Scroll Top: from n/a through <= 1.3.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00035}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00072}

 epss

{'score': 0.00032}

Fri, 14 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Scroll Top allows Reflected XSS. This issue affects Scroll Top: from n/a through 1.3.3.
Title WordPress Scroll Top plugin <= 1.3.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:16.079Z

Reserved: 2025-01-16T11:27:38.285Z

Link: CVE-2025-23651

cve-icon Vulnrichment

Updated: 2025-02-14T15:35:50.539Z

cve-icon NVD

Status : Deferred

Published: 2025-02-14T13:15:45.200

Modified: 2026-04-23T15:24:13.457

Link: CVE-2025-23651

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:45:20Z

Weaknesses