CVE-2026-9723: CSRF Vulnerability in Google Plus One Bottom WordPress Plugin – Security Update
The Google Plus One Bottom plugin for WordPress contains a cross-site request forgery (CSRF) flaw that allows attackers to manipulate plugin settings without proper authorization. An attacker can craft a malicious link or web page that, when clicked by a site administrator, will change critical plugin configuration options—such as language preferences, callback functions, and URLs—without the administrator's knowledge or consent. This attack requires social engineering to trick an admin into clicking the malicious link, but requires no authentication or technical exploit code to execute.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-352
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
The Google Plus One Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.2. This is due to missing or incorrect nonce validation on the googlePlusOneAdmin function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the plusone-lang, plusone-callback, and plusone-url options stored in the database via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9723 is a CSRF vulnerability in the Google Plus One Bottom WordPress plugin affecting all versions through 0.0.2. The vulnerability exists in the googlePlusOneAdmin function, which processes form requests without validating WordPress nonces—security tokens that verify requests originate from legitimate, authenticated sessions. An attacker can construct an HTTP request that modifies the plusone-lang, plusone-callback, and plusone-url options stored in wp_options by exploiting a site administrator's browser session. The attack vector is network-based, requires low complexity, and depends on user interaction (UI:R). No privilege escalation or confidentiality breach occurs; impact is limited to integrity of plugin configuration.
Business impact
Compromised plugin settings can degrade user experience and website functionality. If the plusone-callback or plusone-url options are redirected to attacker-controlled domains, visitors may be directed to malicious sites, leading to drive-by downloads, phishing, or defacement. Additionally, altered language and callback settings could break expected plugin behavior or introduce unexpected JavaScript execution contexts. For WordPress site owners relying on this plugin for Google Plus integration (noting that Google Plus has been deprecated), the primary risk is administrative control loss and potential visitor compromise rather than data breach.
Affected systems
The Google Plus One Bottom WordPress plugin in all versions up to and including 0.0.2 is affected. Any WordPress installation using this plugin is at risk if site administrators can be socially engineered. The vulnerability does not require specific WordPress core versions or hosting configurations; it is plugin-specific and affects all deployments of the vulnerable plugin code.
Exploitability
Exploitation is straightforward from a technical standpoint: an attacker crafts a GET or POST request embedding the malicious plugin options and hosts it on a web page or sends it via email/messaging. When a site administrator visits the attacker's page while logged into their WordPress dashboard, the browser automatically submits the forged request and the plugin settings are modified. The attack is not known to be actively exploited in the wild (KEV status: false) and requires a user interaction trigger. The CVSS score of 4.3 reflects medium severity due to the social engineering requirement, but the ease of weaponization should not be underestimated.
Remediation
Update the Google Plus One Bottom plugin to a patched version released after 0.0.2. Site operators should verify with the plugin vendor or WordPress plugin directory for the latest available version and apply it immediately. If no updated version is available, disable and deactivate the plugin until a fix is released. Alternatively, conduct a security review of the plugin's codebase or consider replacing it with a maintained alternative.
Patch guidance
Verify the latest patched version of the Google Plus One Bottom plugin against the official WordPress plugin repository or the plugin vendor's advisory. Apply updates through the WordPress dashboard (Plugins > Installed Plugins > Update available) or via command-line tools (e.g., wp plugin update). Test the update in a staging environment if possible to confirm no configuration loss or incompatibility before deploying to production. After patching, audit the plugin's stored options in the database to confirm they have not been maliciously altered.
Detection guidance
Monitor WordPress administrative request logs for unusual POST/GET requests to the plugin's admin handler with parameter names plusone-lang, plusone-callback, or plusone-url originating from unexpected referers or IP addresses. Check wp_options table for unexpected changes to plusone_* option values, particularly if the plusone-url or plusone-callback have been rewritten to external domains. Implement a Web Application Firewall (WAF) rule to flag requests lacking valid WordPress nonce tokens to the plugin's admin functions. Regular audits of plugin settings via WordPress admin audit logs (if logging is enabled) will help detect unauthorized changes post-exploitation.
Why prioritize this
Although assigned a CVSS score of 4.3 (medium), this vulnerability warrants prioritization because (1) it affects administrative control of a public-facing plugin, (2) exploitation is trivial and requires only social engineering, (3) the impact—redirecting visitors or injecting malicious callbacks—can compromise user trust and security, and (4) the plugin appears to be unmaintained or rarely updated (version 0.0.2 suggests early-stage or abandoned code). Site administrators using this plugin should patch or disable it urgently.
Risk score, explained
The CVSS 3.1 score of 4.3 (MEDIUM) reflects: Attack Vector = Network (AV:N, remotely exploitable), Attack Complexity = Low (AC:L, no special conditions required), Privileges Required = None (PR:N), User Interaction = Required (UI:R, social engineering needed), Scope = Unchanged (S:U, impact limited to the plugin and WordPress instance), Confidentiality Impact = None (C:N), Integrity Impact = Low (I:L, plugin settings modified), Availability Impact = None (A:N). The score is conservative because it requires user interaction; however, real-world risk is elevated by the ease of social engineering and the severity of potential consequences (visitor redirection).
Frequently asked questions
Is this plugin still maintained?
The Google Plus One Bottom plugin has version 0.0.2 as its highest numbered release, suggesting it may be unmaintained. Verify the plugin's status on WordPress.org or contact the vendor directly. If no patch is forthcoming, consider removing the plugin entirely or migrating to a modern, maintained alternative.
Can this vulnerability be exploited without tricking an administrator?
No. The CSRF attack requires a site administrator to click a malicious link or visit an attacker-controlled page while logged into WordPress. An attacker cannot trigger the vulnerability against an unauthenticated visitor. However, a single social engineering message is sufficient to compromise the plugin's settings.
What happens if the plusone-url is changed to a malicious domain?
If an attacker changes plusone-url to point to their domain, the plugin will load Google Plus One widgets from that attacker-controlled location instead of Google's servers. This could inject malicious JavaScript, redirect visitors, or serve malware. Any visitor interacting with the compromised widget is at risk.
Do I need to patch if I've already disabled the plugin?
Disabling the plugin stops the vulnerable code from executing, but does not remove it from the filesystem. Uninstall the plugin entirely or update it to a patched version to fully remediate the risk and prevent accidental re-enablement.
This analysis is provided for informational purposes and does not constitute professional security advice or legal counsel. Vulnerability details and patch availability may change; verify all vendor advisories and release notes before applying updates. Testing in non-production environments is strongly recommended. SEC.co makes no warranty regarding the accuracy or completeness of this information and assumes no liability for damages arising from its use. Organizations should conduct independent risk assessments aligned with their security policies and compliance requirements. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-34460MEDIUMNamelessMC OAuth State Validation Flaw Enables Session Hijacking
- CVE-2026-4071MEDIUMBirdSeed WordPress Plugin CSRF Vulnerability – Patch & Detection Guide
- CVE-2026-42073MEDIUMOpenClaude OAuth State Validation Bypass Denial of Service
- CVE-2026-45610MEDIUMWWBN AVideo 2FA CSRF Vulnerability – Cross-Site Account Takeover Risk