CVE-2026-6401

EUVD-2026-31039

20.05.2026, 02:16

The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin's settings update forms handled in bottom-bar-admin.php. None of the three settings forms (main settings, sharing services, restore defaults) include a wp_nonce_field(), and the server-side processing code never calls check_admin_referer() or any equivalent nonce validation before processing POST data and calling update_option(). This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that updates plugin configuration options, such as changing the language, maximum post counts, or enabled sharing services.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://plugins.trac.wordpress.org/browser/bottom-bar/tags/0.1.7/bottom-bar-admin.php#L16

https://plugins.trac.wordpress.org/browser/bottom-bar/tags/0.1.7/bottom-bar-admin.php#L59

https://plugins.trac.wordpress.org/browser/bottom-bar/trunk/bottom-bar-admin.php#L16

https://plugins.trac.wordpress.org/browser/bottom-bar/trunk/bottom-bar-admin.php#L59

https://www.wordfence.com/threat-intel/vulnerabilities/id/db0715ed-a06e-4a68-b9c3-408887cae113?source=cve