CVE-2026-6401
Deferred Deferred - Pending Action
Cross-Site Request Forgery in Bottom Bar WordPress Plugin

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Wordfence

Description
The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin's settings update forms handled in bottom-bar-admin.php. None of the three settings forms (main settings, sharing services, restore defaults) include a wp_nonce_field(), and the server-side processing code never calls check_admin_referer() or any equivalent nonce validation before processing POST data and calling update_option(). This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that updates plugin configuration options, such as changing the language, maximum post counts, or enabled sharing services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-09
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-6401
EUVD
EUVD-2026-31039
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bottom_bar bottom_bar to 0.1.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Bottom Bar plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 0.1.7. This happens because the plugin's settings update forms do not include nonce verification, which is a security measure to confirm that requests are legitimate. Specifically, the forms lack wp_nonce_field() and the server-side code does not call check_admin_referer() or any similar nonce validation before processing POST data and updating options. As a result, an attacker can trick a logged-in administrator into submitting a crafted request that changes plugin settings without their consent.

Impact Analysis

This vulnerability allows unauthenticated attackers to manipulate the plugin's configuration by tricking an administrator into submitting malicious requests. The attacker can change settings such as the language, maximum post counts, or enabled sharing services. This can lead to unauthorized changes in the website's behavior or appearance, potentially disrupting normal operations or exposing the site to further attacks.

Mitigation Strategies

The vulnerability exists because the Bottom Bar plugin for WordPress up to version 0.1.7 lacks nonce verification on its settings update forms, allowing Cross-Site Request Forgery (CSRF) attacks.

Immediate mitigation steps include:

  • Update the Bottom Bar plugin to a version later than 0.1.7 where nonce verification is implemented.
  • If an update is not available, temporarily disable or remove the Bottom Bar plugin to prevent exploitation.
  • Restrict administrative access to trusted users only and avoid logging into the WordPress admin panel from untrusted networks.
  • Monitor for suspicious POST requests targeting the plugin's settings forms and consider implementing Web Application Firewall (WAF) rules to block CSRF attempts.
Compliance Impact

The vulnerability allows unauthenticated attackers to trick logged-in administrators into changing plugin configuration options without proper verification. This could potentially lead to unauthorized changes in the system settings.

However, there is no specific information provided about how this vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6401. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart