CVE-2026-9723
Received Received - Intake
Cross-Site Request Forgery in Google Plus One Bottom WordPress Plugin

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: Wordfence

Description
The Google Plus One Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.2. This is due to missing or incorrect nonce validation on the googlePlusOneAdmin function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the plusone-lang, plusone-callback, and plusone-url options stored in the database via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-02
AI Q&A
2026-06-02
EPSS Evaluated
N/A
NVD
CVE-2026-9723
EUVD
EUVD-2026-33890
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Google Plus One Bottom plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 0.0.2. This vulnerability arises because the plugin's googlePlusOneAdmin function lacks proper nonce validation, which is a security measure to verify legitimate requests.

As a result, an attacker who is not authenticated can trick a site administrator into performing an action, such as clicking on a malicious link, which then allows the attacker to modify the plugin's settings stored in the database.

  • Settings that can be modified include plusone-lang, plusone-callback, and plusone-url options.

How can this vulnerability impact me? :

This vulnerability can allow an unauthenticated attacker to change the configuration of the Google Plus One Bottom plugin on your WordPress site without your consent.

Since the attacker can modify settings such as language, callback URLs, and URLs used by the plugin, this could lead to unexpected behavior or redirection to malicious sites.

The impact is rated with a CVSS base score of 4.3, indicating a low to medium severity, primarily affecting the integrity of the plugin's settings but not directly compromising confidentiality or availability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated attackers to modify plugin settings via Cross-Site Request Forgery, potentially leading to unauthorized changes in the website's configuration.

However, there is no specific information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart