[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvO2dr0dxqyR66z4fi_iYAfKyynCT_pqgq6Yu-5_ea7U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":27},"CVE-2026-9723","google-plus-one-bottom-cross-site-request-forgery-to-plugin-settings-update-via-settings-page","Google Plus One Bottom \u003C= 0.0.2 - Cross-Site Request Forgery to Plugin Settings Update via Settings Page","The Google Plus One Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.2. This is due to missing or incorrect nonce validation on the googlePlusOneAdmin function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the plusone-lang, plusone-callback, and plusone-url options stored in the database via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","google-plus-one-bottom",null,"\u003C=0.0.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-06-01 19:43:50","2026-06-02 07:48:29",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F43af2d38-72e8-405f-a910-500fb782ded2?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-9723\n\n## 1. Vulnerability Summary\nThe **Google Plus One Bottom** plugin (\u003C= 0.0.2) for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in its administrative settings processing logic. The function responsible for rendering and saving the settings, `googlePlusOneAdmin` (inferred), fails to implement nonce validation (e.g., `check_admin_referer()`). This allows an attacker to trick a logged-in administrator into submitting a forged request that modifies critical plugin configurations, such as the language, callback functions, or target URLs for the Google Plus One button.\n\n## 2. Attack Vector Analysis\n*   **Target Endpoint:** `\u002Fwp-admin\u002Foptions-general.php?page=google-plus-one-bottom` (inferred slug based on plugin name).\n*   **Vulnerable Action:** POST request to the settings page when the `submit` (or similar) parameter is present.\n*   **Required Authentication:** Administrator (victim must be logged in to execute the CSRF).\n*   **Payload Parameters (inferred from CVE description):**\n    *   `plusone-lang`: The language code for the button.\n    *   `plusone-callback`: A JavaScript callback function name.\n    *   `plusone-url`: The URL the button targets.\n*   **Preconditions:** The attacker must be able to trick the admin into clicking a link or visiting a page that triggers a cross-origin POST request to the WordPress site.\n\n## 3. Code Flow (Inferred)\n1.  **Hook Registration:** The plugin likely hooks into `admin_menu` to register a settings page.\n    ```php\n    add_action('admin_menu', 'googlePlusOneMenu');\n    function googlePlusOneMenu() {\n        add_options_page('Google Plus One', 'Google +1', 'manage_options', 'google-plus-one-bottom', 'googlePlusOneAdmin');\n    }\n    ```\n2.  **Processing Function:** The `googlePlusOneAdmin` function handles both displaying the form and saving data.\n3.  **Vulnerable Sink:** Inside `googlePlusOneAdmin`, the code likely checks for POST data:\n    ```php\n    function googlePlusOneAdmin() {\n        if (isset($_POST['update_googlePlusOneSettings'])) { \u002F\u002F Or similar submit check\n            \u002F\u002F VULNERABILITY: No check_admin_referer() call here\n            update_option('plusone-lang', $_POST['plusone-lang']);\n            update_option('plusone-callback', $_POST['plusone-callback']);\n            update_option('plusone-url', $_POST['plusone-url']);\n        }\n        \u002F\u002F ... renders the form ...\n    }\n    ```\n\n## 4. Nonce Acquisition Strategy\nAccording to the CVE description, the vulnerability exists because of **missing or incorrect nonce validation**. \n*   **If missing:** No nonce is required. The exploit can proceed with a direct POST request.\n*   **If incorrect:** The plugin might be using a generic nonce or failing to check the return value of `wp_verify_nonce`.\n\nSince the primary flaw is the lack of protection, the exploitation strategy will assume **no nonce is required**.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an unauthenticated attacker can change plugin settings via a forged request from an administrator.\n\n1.  **Identify Parameters:** Access the settings page as an admin and inspect the form fields to confirm the exact `name` attributes for the inputs and the submit button.\n2.  **Craft Payload:** Create a POST request that updates the options to malicious values (e.g., setting `plusone-callback` to an alert script or `plusone-url` to a malicious site).\n3.  **Execute Request:** Use the `http_request` tool while authenticated as an administrator to simulate the CSRF.\n\n### Expected HTTP Request\n```http\nPOST \u002Fwp-admin\u002Foptions-general.php?page=google-plus-one-bottom HTTP\u002F1.1\nHost: target.local\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [Admin Session Cookies]\n\nplusone-lang=en-US&plusone-callback=alert(1)&plusone-url=https:\u002F\u002Fattacker.com&update_googlePlusOneSettings=Save+Changes\n```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `google-plus-one-bottom` version 0.0.2 is installed and active.\n2.  **Verify Default State:**\n    ```bash\n    wp option get plusone-lang\n    wp option get plusone-url\n    ```\n3.  **Create Admin:** Ensure a standard administrator user exists for the simulation.\n\n## 7. Expected Results\n*   The server should return a `200 OK` or `302 Found` (redirect).\n*   The database options `plusone-lang`, `plusone-callback`, and `plusone-url` should reflect the values sent in the POST request.\n*   No \"Are you sure you want to do this?\" (WordPress's default CSRF failure message) should appear.\n\n## 8. Verification Steps\nAfter the `http_request` is sent, verify the change via WP-CLI:\n```bash\n# Check if the settings were updated\nwp option get plusone-lang\nwp option get plusone-callback\nwp option get plusone-url\n```\nIf the values match `en-US`, `alert(1)`, and `https:\u002F\u002Fattacker.com` respectively, the CSRF is confirmed.\n\n## 9. Alternative Approaches\n*   **Settings Page Discovery:** If the slug `google-plus-one-bottom` is incorrect, use `wp post list --post_type=page` is not relevant; instead, use `grep -r \"add_options_page\" wp-content\u002Fplugins\u002Fgoogle-plus-one-bottom\u002F` to find the correct slug and callback function.\n*   **XSS Chain:** If `plusone-callback` or `plusone-url` are rendered on the frontend without escaping, use the CSRF to inject a script tag, upgrading the CSRF to a Stored XSS attack.\n*   **Submit Variable:** If `update_googlePlusOneSettings` is not the correct name for the submit button, use `browser_eval` to find the submit button name:\n    `browser_eval(\"document.querySelector('input[type=submit]').name\")`","gemini-3-flash-preview","2026-06-04 14:35:06","2026-06-04 14:35:38",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgoogle-plus-one-bottom\u002Ftags"]