Description
The Add Google +1 (Plus one) social share Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the google-plus-one-share-button page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-04-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Update Plugin
AI Analysis

Impact

This vulnerability arises from missing or incorrect nonce validation on the Google‑plus‑one‑share‑button admin page. An unauthenticated attacker can craft a forged request that updates the plugin’s settings, injecting malicious scripts that are stored and later executed on the site. The result is a stored cross‑site scripting flaw that can compromise confidentiality, integrity, and availability of the site and its visitors.

Affected Systems

The issue affects the WordPress plugin Add Google +1 (Plus one) social share Button distributed by the vendor rohanpawale, specifically all releases up to and including version 1.0.0. WordPress sites that have this plugin installed and have not applied an updated release are exposed.

Risk and Exploitability

The severity is moderate with a CVSS score of 6.1, and the EPSS indicates a very low exploitation probability (<1%). Though it is not listed in CISA’s KEV catalog, the flaw allows an attacker to execute a CSRF attack that results in stored XSS, provided they can persuade an administrator to trigger the forged request. The risk is contingent on whether the site’s users interact with the compromised plugin settings page and whether stored scripts are rendered in public pages.

Generated by OpenCVE AI on April 28, 2026 at 18:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin release that includes proper nonce validation on the settings page, fixing the stored XSS vulnerability (CWE‑79).
  • If the plugin is not essential, remove or disable it entirely, eliminating the opportunity for stored XSS (CWE‑79).
  • Use a security plugin that enforces CSRF protection on admin forms and sanitizes input before database storage, which mitigates the CWE‑79 stored XSS flaw.

Generated by OpenCVE AI on April 28, 2026 at 18:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12392 The Add Google +1 (Plus one) social share Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the google-plus-one-share-button page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Fri, 25 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 25 Apr 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Add Google +1 (Plus one) social share Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the google-plus-one-share-button page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Add Google +1 (Plus one) social share Button <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:46.287Z

Reserved: 2025-04-22T14:45:59.286Z

Link: CVE-2025-3866

cve-icon Vulnrichment

Updated: 2025-04-25T15:43:33.871Z

cve-icon NVD

Status : Deferred

Published: 2025-04-25T07:15:48.143

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:00:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')