Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 20 May 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 20 May 2026 11:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Svil4ok
Svil4ok bottom Bar Wordpress Wordpress wordpress |
|
| Vendors & Products |
Svil4ok
Svil4ok bottom Bar Wordpress Wordpress wordpress |
Wed, 20 May 2026 02:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin's settings update forms handled in bottom-bar-admin.php. None of the three settings forms (main settings, sharing services, restore defaults) include a wp_nonce_field(), and the server-side processing code never calls check_admin_referer() or any equivalent nonce validation before processing POST data and calling update_option(). This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that updates plugin configuration options, such as changing the language, maximum post counts, or enabled sharing services. | |
| Title | Bottom Bar <= 0.1.7 - Cross-Site Request Forgery to Settings Update | |
| Weaknesses | CWE-352 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-05-20T14:15:50.660Z
Reserved: 2026-04-15T20:30:08.265Z
Link: CVE-2026-6401
Updated: 2026-05-20T14:15:46.626Z
Status : Deferred
Published: 2026-05-20T02:16:38.213
Modified: 2026-06-17T11:00:46.987
Link: CVE-2026-6401
No data.
OpenCVE Enrichment
Updated: 2026-05-20T10:38:13Z