CVE-2025-23651

CVE-2025-23651 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin Scroll Top scroll-to-top-builder developed by adamskaat. This issue affects all versions of the plugin from n/a through 1.3.3 inclusive. Published on 2025-02-14T13:15:45.200, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low complexity, and scope change.

An unauthenticated attacker (PR:N) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) by tricking a victim user into performing an action such as clicking a malicious link or submitting crafted input that reflects an XSS payload (UI:R). Upon successful exploitation, the attacker achieves script execution in the victim's browser context with changed scope (S:C), resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), such as potential theft of session data or minor site manipulation.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/scroll-to-top-builder/vulnerability/wordpress-scroll-top-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS vulnerability in Scroll Top plugin version 1.3.3 and provides details on mitigation for affected WordPress installations.