CVE-2025-31399: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Chandan Garg's CG Scroll To Top WordPress plugin, affecting versions up to 3.5. The vulnerability was disclosed on April 9, 2025, and was assigned CVE-2025-31399. This security issue allows for Stored Cross-Site Scripting (XSS) attacks through CSRF (Patchstack Database).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and requires no authentication to exploit, though it does require user interaction (NVD).

The vulnerability allows attackers to potentially execute unwanted actions under the privileges of authenticated users through CSRF attacks, which can lead to stored XSS. This combination of CSRF and stored XSS could enable attackers to perform actions on behalf of authenticated users and potentially inject malicious scripts that would execute when other users view the affected pages (Patchstack Database).

As of the disclosure date, no official fix has been released for this vulnerability. The issue affects CG Scroll To Top plugin versions up to and including 3.5 (Patchstack Database).