WP-Safety

To Top Security & Risk Analysis

wordpress.org/plugins/to-top

To Top is a nifty lightweight plugin. It adds a highly customizable button, which when clicked, scrolls up smoothly to the top of a page.

60K active installs v3.0 PHP + WP 5.9+ Updated Mar 11, 2026
arrowbuttoniconscroll-upto-top
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is To Top Safe to Use in 2026?

Generally Safe

Score 100/100

To Top has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 23d ago
Risk Assessment

The 'to-top' plugin v3.1 exhibits a generally strong security posture based on the provided static analysis and vulnerability history. The absence of known CVEs, particularly unpatched ones, is a significant positive indicator. The code analysis reveals good practices such as 100% of SQL queries using prepared statements and a substantial number of capability checks (9) and nonce checks (2) for its entry points. Furthermore, the plugin has no file operations, external HTTP requests, or bundled libraries, reducing its potential attack surface and dependency risks. However, a potential area for concern lies in the output escaping, where 79% is properly escaped. While this is a good percentage, the remaining 21% of outputs could potentially be vulnerable to cross-site scripting (XSS) if the unescaped data originates from untrusted user input. The plugin's attack surface, though small with 3 AJAX handlers, has 0 unprotected entry points, which is excellent. The lack of any taint analysis findings further supports a relatively secure implementation in this version.

Key Concerns

  • Output escaping not fully implemented
Vulnerabilities
None known

To Top Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

To Top Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
27
99 escaped
Nonce Checks
2
Capability Checks
9
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

79% escaped126 total outputs
Attack Surface

To Top Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 3

authwp_ajax_query-themesadmin\inc\CatchThemesThemePlugin.php:12
authwp_ajax_customize_load_themesadmin\inc\CatchThemesThemePlugin.php:22
authwp_ajax_ctp_switchadmin\inc\ctp-tabs-removal.php:89
WordPress Hooks 21
actionadmin_enqueue_scriptsadmin\inc\CatchThemesThemePlugin.php:14
actioncustomize_registeradmin\inc\CatchThemesThemePlugin.php:17
filterinstall_plugins_tabsadmin\inc\CatchThemesThemePlugin.php:24
filterinstall_plugins_table_api_args_catchpluginsadmin\inc\CatchThemesThemePlugin.php:25
actioninstall_plugins_catchpluginsadmin\inc\CatchThemesThemePlugin.php:26
actionadmin_initadmin\inc\ctp-tabs-removal.php:21
actionplugins_loadedincludes\class-to-top.php:134
actionadmin_enqueue_scriptsincludes\class-to-top.php:149
actionadmin_enqueue_scriptsincludes\class-to-top.php:150
actionadmin_menuincludes\class-to-top.php:152
actionadmin_initincludes\class-to-top.php:153
actioncustomize_registerincludes\class-to-top.php:155
filterplugin_action_linksincludes\class-to-top.php:157
actioncustomize_controls_enqueue_scriptsincludes\class-to-top.php:159
actioncustomize_preview_initincludes\class-to-top.php:161
filterplugin_row_metaincludes\class-to-top.php:163
actionwp_enqueue_scriptsincludes\class-to-top.php:178
actionwp_enqueue_scriptsincludes\class-to-top.php:179
actionwp_footerincludes\class-to-top.php:181
actionadmin_footerincludes\class-to-top.php:182
filterscript_loader_tagincludes\class-to-top.php:183
Maintenance & Trust

To Top Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedMar 11, 2026
PHP min version
Downloads1.3M

Community Trust

Rating98/100
Number of ratings54
Active installs60K
Alternatives

To Top Alternatives

Click to top

Click to top

click-to-top

A
99

A wordpress plugin to create a customisable Click To Top feature.

2K 2 CVEs
Scroll To Top

Scroll To Top

tp-back-to-top

A
100

Tp Scroll Top is fully responsive plugin for WordPress.

300 No CVEs
Tipu Scroll To Top

Tipu Scroll To Top

tipu-scroll-to-top

A
85

License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html This Plugin adds a scroll to top button in your site

300 No CVEs
X-Scroll To Top – Responsive

X-Scroll To Top – Responsive

x-scroll-to-top-responsive

A
100

X-Scroll To Top adds a customizable scroll-up button to your site. Personalize it to seamlessly match your design and enhance functionality.

300 No CVEs
Sticky Back2Top Universal

Sticky Back2Top Universal

sticky-back2top-for-genesis

A
85

Tested up to: 5.1.1 Adds a sticky icon to any WordPress site, gently returning users to the top. Works on all themes, but optimized for Genesis.

100 No CVEs
Developer Profile

To Top Developer Profile

Catch Themes

155 plugins · 226K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
251 days
View full developer profile
Detection Fingerprints

How We Detect To Top

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/to-top/public/css/to-top-public.css/wp-content/plugins/to-top/admin/js/jquery.matchHeight.min.js/wp-content/plugins/to-top/admin/js/to-top-admin.js
Version Parameters
/wp-content/plugins/to-top/admin/css/to-top-admin.css?ver=/wp-content/plugins/to-top/admin/css/admin-dashboard.css?ver=/wp-content/plugins/to-top/public/css/to-top-public.css?ver=/wp-content/plugins/to-top/admin/js/jquery.matchHeight.min.js?ver=/wp-content/plugins/to-top/admin/js/to-top-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
to-top-iconto-top-image
Data Attributes
data-scroll-offsetdata-icon-opacitydata-styledata-icon-typedata-icon-colordata-icon-bg-color+12 more
JS Globals
to_top_options
FAQ

Frequently Asked Questions about To Top