CVE-2025-28922: Go To Top CSRF Vulnerability

CVE-2025-28922 Overview

CVE-2025-28922 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress "Go To Top" plugin developed by Terence D. This vulnerability allows attackers to chain CSRF with Stored Cross-Site Scripting (XSS), enabling malicious actors to inject persistent scripts into the WordPress site through forged requests. When successfully exploited, this vulnerability can lead to unauthorized actions being performed on behalf of authenticated administrators and persistent script execution affecting all site visitors.

Critical Impact
Attackers can leverage CSRF to inject stored XSS payloads, potentially leading to session hijacking, administrative account compromise, website defacement, and malware distribution to site visitors.

Affected Products

Go To Top WordPress Plugin version 0.0.8 and earlier
WordPress sites with Go To Top plugin installed
All configurations of the vulnerable plugin versions

Discovery Timeline

2025-03-11 - CVE-2025-28922 published to NVD
2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-28922

Vulnerability Analysis

This vulnerability represents a dangerous combination of two attack types: Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS). The Go To Top plugin fails to implement proper CSRF token validation on its administrative settings forms, allowing attackers to craft malicious requests that modify plugin settings when an authenticated administrator visits a specially crafted page.

The lack of input sanitization in conjunction with missing CSRF protection creates a pathway for attackers to inject malicious JavaScript code that gets stored in the WordPress database. Once stored, this XSS payload executes in the browsers of any user viewing affected pages, including administrators, potentially leading to credential theft, session hijacking, or further compromise of the WordPress installation.

The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and enables attacks that require user interaction—specifically, tricking an authenticated administrator into visiting a malicious page while logged into the WordPress admin panel.

Root Cause

The root cause of this vulnerability lies in the Go To Top plugin's failure to implement proper security controls on its settings management functionality. Specifically:

Missing CSRF Token Validation: The plugin does not verify nonce tokens on form submissions, allowing external websites to submit requests to the plugin's settings handlers.
Insufficient Input Sanitization: User-supplied input is not properly sanitized or escaped before being stored in the database, enabling the injection of malicious scripts.
Lack of Output Encoding: When stored settings are rendered on the frontend, they are not properly escaped, allowing injected scripts to execute in visitor browsers.

Attack Vector

The attack follows a network-based vector requiring user interaction. An attacker crafts a malicious web page containing a hidden form or JavaScript that automatically submits a request to the vulnerable WordPress plugin endpoint. The attack sequence typically follows this pattern:

Attacker identifies a WordPress site using the vulnerable Go To Top plugin
Attacker creates a malicious page with an auto-submitting form targeting the plugin's settings endpoint
Attacker tricks an authenticated WordPress administrator into visiting the malicious page
The administrator's browser automatically submits the forged request with the administrator's session cookies
The malicious XSS payload is stored in the plugin's settings
The stored XSS executes whenever any user visits pages where the plugin renders content

The attack does not require any authentication on the attacker's part and can be delivered through phishing emails, compromised advertisements, or social engineering tactics.

Detection Methods for CVE-2025-28922

Indicators of Compromise

Unexpected or suspicious JavaScript code in the Go To Top plugin settings
Unusual outbound network requests from visitor browsers to unknown domains
Modified plugin settings that administrators did not authorize
Reports from users about browser warnings or unexpected behavior on the site

Detection Strategies

Review WordPress audit logs for unauthorized changes to the Go To Top plugin configuration
Implement Content Security Policy (CSP) headers and monitor for policy violations
Use web application firewalls (WAF) to detect and block CSRF attack patterns
Regularly scan plugin settings and database entries for suspicious script content

Monitoring Recommendations

Enable WordPress activity logging plugins to track all administrative actions
Monitor HTTP referrer headers for requests to plugin settings endpoints from external domains
Set up alerts for any modifications to plugin settings outside of expected maintenance windows
Implement browser-based XSS detection through CSP reporting

How to Mitigate CVE-2025-28922

Immediate Actions Required

Update the Go To Top plugin to a patched version if available, or deactivate and remove the plugin immediately
Review and reset all Go To Top plugin settings to default values
Audit the WordPress database for any injected malicious content
Force logout all active WordPress sessions and require password resets for administrator accounts
Implement a Web Application Firewall (WAF) to provide additional protection against CSRF and XSS attacks

Patch Information

According to the Patchstack Vulnerability Report, versions through 0.0.8 are affected. Site administrators should check for available updates or consider using alternative plugins that provide similar functionality with better security practices.

Workarounds

Deactivate and remove the Go To Top plugin until a patched version becomes available
Implement strict Content Security Policy headers to prevent execution of inline scripts
Use WordPress security plugins that add CSRF protection at the application level
Restrict administrative access to trusted IP addresses to reduce the attack surface
Consider implementing two-factor authentication for all WordPress administrator accounts

bash

# WordPress CLI commands for mitigation
# Deactivate the vulnerable plugin
wp plugin deactivate go-to-top

# List all active plugins to verify deactivation
wp plugin list --status=active

# Check for available plugin updates
wp plugin update --all --dry-run

# Force logout all users
wp user session destroy --all

CVE-2025-28922 Overview

Critical Impact
Attackers can leverage CSRF to inject stored XSS payloads, potentially leading to session hijacking, administrative account compromise, website defacement, and malware distribution to site visitors.

Affected Products

Go To Top WordPress Plugin version 0.0.8 and earlier
WordPress sites with Go To Top plugin installed
All configurations of the vulnerable plugin versions

Discovery Timeline

2025-03-11 - CVE-2025-28922 published to NVD
2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-28922

Vulnerability Analysis

Root Cause

The root cause of this vulnerability lies in the Go To Top plugin's failure to implement proper security controls on its settings management functionality. Specifically:

Missing CSRF Token Validation: The plugin does not verify nonce tokens on form submissions, allowing external websites to submit requests to the plugin's settings handlers.
Insufficient Input Sanitization: User-supplied input is not properly sanitized or escaped before being stored in the database, enabling the injection of malicious scripts.
Lack of Output Encoding: When stored settings are rendered on the frontend, they are not properly escaped, allowing injected scripts to execute in visitor browsers.

Attack Vector

Attacker identifies a WordPress site using the vulnerable Go To Top plugin
Attacker creates a malicious page with an auto-submitting form targeting the plugin's settings endpoint
Attacker tricks an authenticated WordPress administrator into visiting the malicious page
The administrator's browser automatically submits the forged request with the administrator's session cookies
The malicious XSS payload is stored in the plugin's settings
The stored XSS executes whenever any user visits pages where the plugin renders content

The attack does not require any authentication on the attacker's part and can be delivered through phishing emails, compromised advertisements, or social engineering tactics.

Detection Methods for CVE-2025-28922

Indicators of Compromise

Unexpected or suspicious JavaScript code in the Go To Top plugin settings
Unusual outbound network requests from visitor browsers to unknown domains
Modified plugin settings that administrators did not authorize
Reports from users about browser warnings or unexpected behavior on the site

Detection Strategies

Review WordPress audit logs for unauthorized changes to the Go To Top plugin configuration
Implement Content Security Policy (CSP) headers and monitor for policy violations
Use web application firewalls (WAF) to detect and block CSRF attack patterns
Regularly scan plugin settings and database entries for suspicious script content

Monitoring Recommendations

Enable WordPress activity logging plugins to track all administrative actions
Monitor HTTP referrer headers for requests to plugin settings endpoints from external domains
Set up alerts for any modifications to plugin settings outside of expected maintenance windows
Implement browser-based XSS detection through CSP reporting

How to Mitigate CVE-2025-28922

Immediate Actions Required

Update the Go To Top plugin to a patched version if available, or deactivate and remove the plugin immediately
Review and reset all Go To Top plugin settings to default values
Audit the WordPress database for any injected malicious content
Force logout all active WordPress sessions and require password resets for administrator accounts
Implement a Web Application Firewall (WAF) to provide additional protection against CSRF and XSS attacks

Patch Information

Workarounds

Deactivate and remove the Go To Top plugin until a patched version becomes available
Implement strict Content Security Policy headers to prevent execution of inline scripts
Use WordPress security plugins that add CSRF protection at the application level
Restrict administrative access to trusted IP addresses to reduce the attack surface
Consider implementing two-factor authentication for all WordPress administrator accounts

bash

# WordPress CLI commands for mitigation
# Deactivate the vulnerable plugin
wp plugin deactivate go-to-top

# List all active plugins to verify deactivation
wp plugin list --status=active

# Check for available plugin updates
wp plugin update --all --dry-run

# Force logout all users
wp user session destroy --all

CVE-2025-28922: Go To Top CSRF Vulnerability

CVE-2025-28922 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-28922

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-28922

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-28922

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-28922: Go To Top CSRF Vulnerability

CVE-2025-28922 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-28922

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-28922

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-28922

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform