CVE-2026-9723
4.3 MEDIUMThe Google Plus One Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.2
Published: 2026-06-02 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 4.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- CWE
- CWE-352
Description
The Google Plus One Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.2. This is due to missing or incorrect nonce validation on the googlePlusOneAdmin function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the plusone-lang, plusone-callback, and plusone-url options stored in the database via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9723
- [Other]https://plugins.trac.wordpress.org/browser/google-plus-one-bottom/tags/0.0.2/googlePlusOne.php#L34
- [Other]https://plugins.trac.wordpress.org/browser/google-plus-one-bottom/tags/0.0.2/googlePlusOne.php#L64
- [Other]https://plugins.trac.wordpress.org/browser/google-plus-one-bottom/tags/0.0.2/googlePlusOne.php#L73
- [Other]https://www.wordfence.com/threat-intel/vulnerabilities/id/43af2d38-72e8-405f-a910-500fb782ded2?source=cve
Related CVEs
Same CWE
- CVE-2026-49396 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (7.1 HIGH)
- CVE-2026-54359 — MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled
- CVE-2026-48612 — Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’... (8.0 HIGH)
- CVE-2022-47150 — Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery (4.3 MEDIUM)
- CVE-2022-44630 — Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery (4.6 MEDIUM)