Google Plus One Bottom <= 0.0.2 - Cross-Site Request Forgery to Plugin Settings Update via Settings Page
Description
The Google Plus One Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.2. This is due to missing or incorrect nonce validation on the googlePlusOneAdmin function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the plusone-lang, plusone-callback, and plusone-url options stored in the database via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=0.0.2# Exploitation Research Plan: CVE-2026-9723 ## 1. Vulnerability Summary The **Google Plus One Bottom** plugin (<= 0.0.2) for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in its administrative settings processing logic. The function responsible for rendering and saving the se…
Show full research plan
Exploitation Research Plan: CVE-2026-9723
1. Vulnerability Summary
The Google Plus One Bottom plugin (<= 0.0.2) for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in its administrative settings processing logic. The function responsible for rendering and saving the settings, googlePlusOneAdmin (inferred), fails to implement nonce validation (e.g., check_admin_referer()). This allows an attacker to trick a logged-in administrator into submitting a forged request that modifies critical plugin configurations, such as the language, callback functions, or target URLs for the Google Plus One button.
2. Attack Vector Analysis
- Target Endpoint:
/wp-admin/options-general.php?page=google-plus-one-bottom(inferred slug based on plugin name). - Vulnerable Action: POST request to the settings page when the
submit(or similar) parameter is present. - Required Authentication: Administrator (victim must be logged in to execute the CSRF).
- Payload Parameters (inferred from CVE description):
plusone-lang: The language code for the button.plusone-callback: A JavaScript callback function name.plusone-url: The URL the button targets.
- Preconditions: The attacker must be able to trick the admin into clicking a link or visiting a page that triggers a cross-origin POST request to the WordPress site.
3. Code Flow (Inferred)
- Hook Registration: The plugin likely hooks into
admin_menuto register a settings page.add_action('admin_menu', 'googlePlusOneMenu'); function googlePlusOneMenu() { add_options_page('Google Plus One', 'Google +1', 'manage_options', 'google-plus-one-bottom', 'googlePlusOneAdmin'); } - Processing Function: The
googlePlusOneAdminfunction handles both displaying the form and saving data. - Vulnerable Sink: Inside
googlePlusOneAdmin, the code likely checks for POST data:function googlePlusOneAdmin() { if (isset($_POST['update_googlePlusOneSettings'])) { // Or similar submit check // VULNERABILITY: No check_admin_referer() call here update_option('plusone-lang', $_POST['plusone-lang']); update_option('plusone-callback', $_POST['plusone-callback']); update_option('plusone-url', $_POST['plusone-url']); } // ... renders the form ... }
4. Nonce Acquisition Strategy
According to the CVE description, the vulnerability exists because of missing or incorrect nonce validation.
- If missing: No nonce is required. The exploit can proceed with a direct POST request.
- If incorrect: The plugin might be using a generic nonce or failing to check the return value of
wp_verify_nonce.
Since the primary flaw is the lack of protection, the exploitation strategy will assume no nonce is required.
5. Exploitation Strategy
The goal is to demonstrate that an unauthenticated attacker can change plugin settings via a forged request from an administrator.
- Identify Parameters: Access the settings page as an admin and inspect the form fields to confirm the exact
nameattributes for the inputs and the submit button. - Craft Payload: Create a POST request that updates the options to malicious values (e.g., setting
plusone-callbackto an alert script orplusone-urlto a malicious site). - Execute Request: Use the
http_requesttool while authenticated as an administrator to simulate the CSRF.
Expected HTTP Request
POST /wp-admin/options-general.php?page=google-plus-one-bottom HTTP/1.1
Host: target.local
Content-Type: application/x-www-form-urlencoded
Cookie: [Admin Session Cookies]
plusone-lang=en-US&plusone-callback=alert(1)&plusone-url=https://attacker.com&update_googlePlusOneSettings=Save+Changes
6. Test Data Setup
- Install Plugin: Ensure
google-plus-one-bottomversion 0.0.2 is installed and active. - Verify Default State:
wp option get plusone-lang wp option get plusone-url - Create Admin: Ensure a standard administrator user exists for the simulation.
7. Expected Results
- The server should return a
200 OKor302 Found(redirect). - The database options
plusone-lang,plusone-callback, andplusone-urlshould reflect the values sent in the POST request. - No "Are you sure you want to do this?" (WordPress's default CSRF failure message) should appear.
8. Verification Steps
After the http_request is sent, verify the change via WP-CLI:
# Check if the settings were updated
wp option get plusone-lang
wp option get plusone-callback
wp option get plusone-url
If the values match en-US, alert(1), and https://attacker.com respectively, the CSRF is confirmed.
9. Alternative Approaches
- Settings Page Discovery: If the slug
google-plus-one-bottomis incorrect, usewp post list --post_type=pageis not relevant; instead, usegrep -r "add_options_page" wp-content/plugins/google-plus-one-bottom/to find the correct slug and callback function. - XSS Chain: If
plusone-callbackorplusone-urlare rendered on the frontend without escaping, use the CSRF to inject a script tag, upgrading the CSRF to a Stored XSS attack. - Submit Variable: If
update_googlePlusOneSettingsis not the correct name for the submit button, usebrowser_evalto find the submit button name:browser_eval("document.querySelector('input[type=submit]').name")
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.