WP-Safety

Scroll To Top Security & Risk Analysis

wordpress.org/plugins/scroll-top

Automatically adds a flexible Back to Top button to your WordPress website that allows your visitor to scroll back to the top of your page with one cl …

20K active installs v1.5.3 PHP 7.2+ WP 5.6+ Updated Nov 21, 2023
back-to-topbuttonjqueryscroll-to-topto-top
85
A · Safe
CVEs total1
Unpatched0
Last CVEAug 17, 2022
Plugin page Download
Safety Verdict

Is Scroll To Top Safe to Use in 2026?

Generally Safe

Score 85/100

Scroll To Top has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Aug 17, 2022Updated 2yr ago
Risk Assessment

The "scroll-top" plugin version 1.5.3 exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries and nearly all output is properly escaped, indicating a strong defense against common injection and XSS vulnerabilities. Furthermore, there are no identified critical or high severity vulnerabilities in the taint analysis, and the plugin does not bundle external libraries that could pose a risk. The absence of file operations and external HTTP requests in the code analysis is also a positive sign.

However, there are significant concerns regarding the plugin's attack surface. The static analysis reveals two AJAX handlers, both of which lack authentication checks. This presents a direct pathway for unauthenticated users to interact with these handlers, potentially leading to unintended actions or information disclosure if the handlers are not robustly coded. While the taint analysis shows no critical or high severity issues, the lack of authorization on these entry points is a notable weakness.

The vulnerability history shows one past medium-severity vulnerability, specifically a Cross-Site Scripting (XSS) issue, which was patched. While there are no currently unpatched vulnerabilities, this past incident highlights the potential for XSS to emerge if input is not handled meticulously. The presence of nonce checks and capability checks on the identified AJAX handlers is encouraging, but their absence of broader authentication is a critical oversight. In conclusion, while the plugin avoids many common pitfalls like raw SQL and poor output escaping, the unprotected AJAX endpoints are a substantial risk that needs immediate attention. The past XSS vulnerability serves as a reminder of the importance of comprehensive input validation and authorization on all entry points.

Key Concerns

  • AJAX handlers without auth checks
  • Past medium severity CVE (XSS)
Vulnerabilities
1

Scroll To Top Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2022-2710medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Scroll To Top <= 1.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Aug 17, 2022 Patched in 1.4.1 (524d)
Code Analysis
Analyzed Mar 16, 2026

Scroll To Top Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
1
63 escaped
Nonce Checks
2
Capability Checks
2
File Operations
0
External Requests
4
Bundled Libraries
0

Output Escaping

98% escaped64 total outputs
Attack Surface
2 unprotected

Scroll To Top Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_puc_v5_debug_check_nowplugin-update-checker\Puc\v5p2\DebugBar\Extension.php:29
authwp_ajax_puc_v5_debug_request_infoplugin-update-checker\Puc\v5p2\DebugBar\PluginExtension.php:16
WordPress Hooks 33
actionadmin_menuadmin\admin.php:30
actionadmin_initadmin\admin.php:57
actionadmin_initadmin\admin.php:201
actionwp_enqueue_scriptsinc\functions.php:64
filterscript_loader_taginc\functions.php:83
actionwp_footerinc\functions.php:131
actionwp_headinc\functions.php:188
filterdebug_bar_panelsplugin-update-checker\Puc\v5p2\DebugBar\Extension.php:26
actiondebug_bar_enqueue_scriptsplugin-update-checker\Puc\v5p2\DebugBar\Extension.php:27
filterupgrader_post_installplugin-update-checker\Puc\v5p2\Plugin\Package.php:37
actiondelete_site_transient_update_pluginsplugin-update-checker\Puc\v5p2\Plugin\Package.php:38
actionadmin_initplugin-update-checker\Puc\v5p2\Plugin\Ui.php:19
filterplugin_row_metaplugin-update-checker\Puc\v5p2\Plugin\Ui.php:26
filterplugin_row_metaplugin-update-checker\Puc\v5p2\Plugin\Ui.php:27
actionall_admin_noticesplugin-update-checker\Puc\v5p2\Plugin\Ui.php:28
filterplugins_apiplugin-update-checker\Puc\v5p2\Plugin\UpdateChecker.php:101
filtercron_schedulesplugin-update-checker\Puc\v5p2\Scheduler.php:53
actionadmin_initplugin-update-checker\Puc\v5p2\Scheduler.php:78
actionload-update-core.phpplugin-update-checker\Puc\v5p2\Scheduler.php:82
actionupgrader_process_completeplugin-update-checker\Puc\v5p2\Scheduler.php:90
actioninitplugin-update-checker\Puc\v5p2\UpdateChecker.php:102
filterupgrader_source_selectionplugin-update-checker\Puc\v5p2\UpdateChecker.php:146
filterhttp_request_host_is_externalplugin-update-checker\Puc\v5p2\UpdateChecker.php:150
actionplugins_loadedplugin-update-checker\Puc\v5p2\UpdateChecker.php:156
actionpuc_api_errorplugin-update-checker\Puc\v5p2\UpdateChecker.php:265
filterupgrader_pre_installplugin-update-checker\Puc\v5p2\UpgraderStatus.php:19
filterupgrader_package_optionsplugin-update-checker\Puc\v5p2\UpgraderStatus.php:20
filterupgrader_post_installplugin-update-checker\Puc\v5p2\UpgraderStatus.php:21
actionupgrader_process_completeplugin-update-checker\Puc\v5p2\UpgraderStatus.php:22
filterupgrader_pre_downloadplugin-update-checker\Puc\v5p2\Vcs\GitHubApi.php:355
filterhttp_request_argsplugin-update-checker\Puc\v5p2\Vcs\GitHubApi.php:404
actionrequests-requests.before_redirectplugin-update-checker\Puc\v5p2\Vcs\GitHubApi.php:405
actionplugins_loadedscroll-top.php:54
Maintenance & Trust

Scroll To Top Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8
Last updatedNov 21, 2023
PHP min version7.2
Downloads183K

Community Trust

Rating90/100
Number of ratings13
Active installs20K
Alternatives

Scroll To Top Alternatives

Scroll Back To Top

Scroll Back To Top

scroll-back-to-top

A
85

This plugin will add a button that allows users to scroll smoothly to the top of the page.

10K No CVEs
sr-scroll-to-top-wp

sr-scroll-to-top-wp

sr-scroll-to-top-wp

A
85

Easily create and manage a page scroll to top

20 No CVEs
Smooth Back To Top Button

Smooth Back To Top Button

smooth-back-to-top-button

A
100

Smooth Back To Top button with scroll progress indicator.

40K No CVEs
MakeITeasy Back To Top

MakeITeasy Back To Top

makeiteasy-back-to-top

A
100

Block based back to top. Lightweight, no dependencies, customizable and with some advanced options. Based on best block development practices.

1K No CVEs
Scroll To Top WP

Scroll To Top WP

simple-scroll-top-wp

A
92

Simple Scroll to top plugin will help you to enable Back to Top button to your WordPress website. This plugin will allow your visitors to easily scrol &hellip;

1K No CVEs
Developer Profile

Scroll To Top Developer Profile

Ga Satrya

6 plugins · 41K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
524 days
View full developer profile
Detection Fingerprints

How We Detect Scroll To Top

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/scroll-top/assets/css/scroll-top-admin.css/wp-content/plugins/scroll-top/assets/js/scroll-top-admin.js
Version Parameters
scroll-top/assets/css/scroll-top-admin.css?ver=scroll-top/assets/js/scroll-top-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
scroll-top-btn
Data Attributes
data-scroll-top-enableddata-scroll-top-mobile-enableddata-scroll-top-async-enableddata-scroll-top-typedata-scroll-top-textdata-scroll-top-position+8 more
JS Globals
ScrollTop
FAQ

Frequently Asked Questions about Scroll To Top