The vulnerability arises from missing or incorrect nonce validation in the Google Plus One Bottom plugin for WordPress, enabling attackers to perform a cross‑site request forgery that updates the plugin’s settings. An unauthenticated user can trick an administrator into visiting a crafted URL or clicking a link, causing the server to store new values for options such as plusone-lang, plusone-callback, and plusone-url. The impact is primarily a compromise of integrity, as the attacker can redirect users or alter the Google+ integration without accessing the site’s data directly.

WordPress sites that have the Google Plus One Bottom plugin installed at version 0.0.2 or earlier. Any administrator who remains logged in while visiting a forged request could be impacted.

The CVSS score of 4.3 indicates moderate severity, while no EPSS score is available and the vulnerability is not listed in CISA’s KEV table, suggesting there is no known large‑scale exploitation. The attack vector is limited to social‑engineering scenarios where an attacker can lure an administrator to a malicious link; no bypass of authentication is required, but the victim must be an admin and actively logged in. Consequently, the risk is present but relies on a targeted attack surface and does not affect all site users automatically.