CVE-2022-2709: 
WordPress vulnerability analysis and mitigation

The Float to Top Button WordPress plugin through version 2.3.6 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability exists because the plugin does not properly escape some of its settings, which could allow high-privilege users such as administrators to perform stored XSS attacks even when the unfiltered_html capability is disallowed, such as in multisite setups (WPScan).

The vulnerability is classified as CWE-79 (Cross-Site Scripting) with a CVSS v3.1 base score of 4.8 (Medium). The attack vector is Network-based, requires High privileges and User interaction, with Changed scope and Low impact on both Confidentiality and Integrity. The vulnerability can be exploited by inserting malicious payloads in the 'Text for the button' or 'URL of a custom Top of Page image' settings of the plugin (AttackerKB).

If successfully exploited, this vulnerability allows authenticated administrators to store and execute malicious JavaScript code that would be triggered when accessing the settings page again. This could potentially lead to client-side attacks against other administrative users (WPScan).

At the time of reporting, there was no known fix available for this vulnerability in the Float to Top Button WordPress plugin (WPScan).