CVE-2026-9723
Deferred Deferred - Pending Action
Cross-Site Request Forgery in Google Plus One Bottom WordPress Plugin

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: Wordfence

Description
The Google Plus One Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.2. This is due to missing or incorrect nonce validation on the googlePlusOneAdmin function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the plusone-lang, plusone-callback, and plusone-url options stored in the database via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-9723
EUVD
EUVD-2026-33890
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should update or remove the Google Plus One Bottom plugin for WordPress if it is at version 0.0.2 or earlier.

Additionally, ensure that nonce validation is properly implemented on the googlePlusOneAdmin function to prevent Cross-Site Request Forgery attacks.

As a precaution, avoid clicking on suspicious links that could trigger unauthorized changes to plugin settings.

Executive Summary

The Google Plus One Bottom plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 0.0.2. This vulnerability arises because the plugin's googlePlusOneAdmin function lacks proper nonce validation, which is a security measure to verify legitimate requests.

As a result, an attacker who is not authenticated can trick a site administrator into performing an action, such as clicking on a malicious link, which then allows the attacker to modify the plugin's settings stored in the database.

  • Settings that can be modified include plusone-lang, plusone-callback, and plusone-url options.
Impact Analysis

This vulnerability can allow an unauthenticated attacker to change the configuration of the Google Plus One Bottom plugin on your WordPress site without your consent.

Since the attacker can modify settings such as language, callback URLs, and URLs used by the plugin, this could lead to unexpected behavior or redirection to malicious sites.

The impact is rated with a CVSS base score of 4.3, indicating a low to medium severity, primarily affecting the integrity of the plugin's settings but not directly compromising confidentiality or availability.

Compliance Impact

The vulnerability allows unauthenticated attackers to modify plugin settings via Cross-Site Request Forgery, potentially leading to unauthorized changes in the website's configuration.

However, there is no specific information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9723. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart