CVE-2026-6401
Cross-Site Request Forgery in Bottom Bar WordPress Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bottom_bar | bottom_bar | to 0.1.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Bottom Bar plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 0.1.7. This happens because the plugin's settings update forms do not include nonce verification, which is a security measure to confirm that requests are legitimate. Specifically, the forms lack wp_nonce_field() and the server-side code does not call check_admin_referer() or any similar nonce validation before processing POST data and updating options. As a result, an attacker can trick a logged-in administrator into submitting a crafted request that changes plugin settings without their consent.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to manipulate the plugin's configuration by tricking an administrator into submitting malicious requests. The attacker can change settings such as the language, maximum post counts, or enabled sharing services. This can lead to unauthorized changes in the website's behavior or appearance, potentially disrupting normal operations or exposing the site to further attacks.