What the vulnerability does
01Description
The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin's settings update forms handled in bottom-bar-admin.php. None of the three settings forms (main settings, sharing services, restore defaults) include a wp_nonce_field(), and the server-side processing code never calls check_admin_referer() or any equivalent nonce validation before processing POST data and calling update_option(). This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that updates plugin configuration options, such as changing the language, maximum post counts, or enabled sharing services.
Explanation of Vulnerability in Simple Terms
02Summary
Bottom Bar versions 0.1.7 and earlier are vulnerable to cross-site request forgery (CSRF) attacks. An attacker can craft a malicious webpage that, when visited by a site administrator, performs unwanted actions on the site without the admin's knowledge. The vulnerability requires the admin to visit the attacker's page while logged into their site. No confidentiality impact occurs, but site integrity can be compromised.
What an attacker can do
03Attacker Capabilities
Perform unwanted actions on the site by tricking an admin into visiting a malicious webpage.
Potential impact on your site
04Site Impact
Attackers can modify site settings or content if they trick administrators into visiting malicious links.
Conditions required to exploit
05Prerequisites
Site admin must visit attacker-controlled webpage while logged into the site.
Key dates
06Disclosure timeline
May 20, 2026
CVE published
May 20, 2026
Record updated
