CVE-2024-6320

Name of the Vulnerable Software and Affected Versions: ScrollTo Top plugin for WordPress versions up to, and including, 1.2.2

Description: The issue is due to missing nonce validation and missing file type validation in the options page function, making it possible for unauthenticated attackers to upload arbitrary files on the affected site's server. This may make remote code execution possible via a forged request if attackers can trick a site administrator into performing an action such as clicking on a link.

Recommendations: For versions up to, and including, 1.2.2, update to a version that includes nonce validation and file type validation to prevent arbitrary file uploads. As a temporary workaround, consider disabling the options page function until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.