Description
The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin's settings update forms handled in bottom-bar-admin.php. None of the three settings forms (main settings, sharing services, restore defaults) include a wp_nonce_field(), and the server-side processing code never calls check_admin_referer() or any equivalent nonce validation before processing POST data and calling update_option(). This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that updates plugin configuration options, such as changing the language, maximum post counts, or enabled sharing services.
Published: 2026-05-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Bottom Bar plugin for WordPress is affected by a Cross‑Site Request Forgery flaw that allows an attacker to modify plugin settings without authentication. By sending a crafted POST request to the plugin’s admin forms, an attacker can change configuration options such as language, post display limits, or sharing services. This can undermine site behavior and user experience, potentially revealing internal data or enabling further manipulation of the site’s front‑end.

Affected Systems

WordPress sites running the Bottom Bar plugin version 0.1.7 or earlier are vulnerable. The issue appears in all forms handled by bottom-bar-admin.php and affects the main settings, sharing services, and restore defaults pages of the plugin.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The flaw is exploitable by an unauthenticated attacker who can trick a logged‑in administrator into executing the malicious request, so it is likely to be used against sites with exposed admin URLs. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Implementation requires only a forged HTTP POST, and no special privileges or environment is needed beyond the ability to reach the site’s admin interface.

Generated by OpenCVE AI on May 20, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bottom Bar to the latest version where nonce verification is added.
  • If immediate upgrade is not possible, disable the plugin’s settings update capability or lock out the admin area using access controls or a plugin that blocks unauthenticated POSTs.
  • Verify that all administrator accounts use strong, multi‑factor authentication and review role permissions so that only trusted users can edit plugin settings.

Generated by OpenCVE AI on May 20, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Svil4ok
Svil4ok bottom Bar
Wordpress
Wordpress wordpress
Vendors & Products Svil4ok
Svil4ok bottom Bar
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin's settings update forms handled in bottom-bar-admin.php. None of the three settings forms (main settings, sharing services, restore defaults) include a wp_nonce_field(), and the server-side processing code never calls check_admin_referer() or any equivalent nonce validation before processing POST data and calling update_option(). This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that updates plugin configuration options, such as changing the language, maximum post counts, or enabled sharing services.
Title Bottom Bar <= 0.1.7 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Svil4ok Bottom Bar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T14:15:50.660Z

Reserved: 2026-04-15T20:30:08.265Z

Link: CVE-2026-6401

cve-icon Vulnrichment

Updated: 2026-05-20T14:15:46.626Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T02:16:38.213

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-6401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:13Z

Weaknesses