216.73.217.22

CVE-2026-6401

· Published 20/05/2026 02:16 · Modified 20/05/2026 13:54

Labels: CVE-2026-6401 2026-05-20CVE-2026-6401CWE-352[email protected]

Essential information

Published
20/05/2026 02:16
Modified
20/05/2026 13:54
Author
Creator
CVSS
4.3 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS metrics

Description

The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin's settings update forms handled in bottom-bar-admin.php. None of the three settings forms (main settings, sharing services, restore defaults) include a wp_nonce_field(), and the server-side processing code never calls check_admin_referer() or any equivalent nonce validation before processing POST data and calling update_option(). This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that updates plugin configuration options, such as changing the language, maximum post counts, or enabled sharing services.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
wordpress / bottom bar cpe:2.3:a:wordpress:bottom_bar:*:*:*:*:*:wordpress:*:*

References