A Cross‑Site Request Forgery flaw in the GP Back To Top WordPress plugin enables an attacker to send forged requests that are accepted by the site as legitimate actions performed by a logged‑in user, potentially altering settings or submitting unwanted content. The vulnerability hinges on missing or inadequate CSRF protection, classified as CWE‑352. This permits malicious actors to exploit the trust relationship between authenticated users and the plugin without needing to guess credentials or compromise the server directly. The impact is confined to the scope of the user session during which the request is made.

WordPress sites that have installed the GP Back To Top plugin version 3.0 or earlier, developed by giangmd93. Any installation that has the plugin enabled and lacks additional CSRF defenses is vulnerable.

The CVSS score of 4.3 reflects a moderate severity, while the EPSS score of less than 1% indicates a low estimated probability of exploitation at present. Because the vulnerability is not listed in the CISA KEV catalog, there is no evidence of known large‑scale exploitation. Nevertheless, attackers can forge requests from external sites when users visit malicious content, making the vulnerability potentially exploitable in environments with openly logged‑in administrators. The exploitation path is straightforward: construct a crafted form or URL targeting the plugin’s administrative endpoint, persuade a logged‑in user to load it, and the action will be carried out with the user’s privileges.