What is CVE-2026-9723?

CVE-2026-9723 is a Cross-Site Request Forgery (CSRF) vulnerability in the Google Plus One Bottom plugin for WordPress, affecting all versions up to and including 0.0.2. It allows unauthenticated attackers to modify plugin settings by tricking an administrator into performing actions without proper nonce validation.

How does the vulnerability work?

The vulnerability arises from missing nonce validation in the googlePlusOneAdmin function. An attacker can create a malicious link or page that, when clicked by an administrator, submits a request to change plugin settings without the necessary security checks, allowing unauthorized modifications.

Who is affected by this vulnerability?

All WordPress sites using the Google Plus One Bottom plugin version 0.0.2 or earlier are affected. Site administrators are particularly at risk, as they can inadvertently trigger the CSRF attack by clicking on malicious links.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Google Plus One Bottom plugin installed. If it is version 0.0.2 or lower, your site is at risk. Additionally, review your site’s logs for any suspicious activity related to plugin settings changes.

How can I fix CVE-2026-9723?

To fix the vulnerability, update the Google Plus One Bottom plugin to a version that includes nonce validation. If no update is available, you can manually add nonce checks to the googlePlusOneAdmin function using `wp_verify_nonce()` or `check_admin_referer()`.

What are the best practices for mitigating CSRF vulnerabilities?

Best practices include implementing nonce checks in all admin-facing forms and AJAX requests, ensuring proper user capability checks, and keeping plugins and WordPress core updated. Regularly audit your plugins for vulnerabilities and remove any that are no longer maintained.

What does a CVSS score of 4.3 indicate?

A CVSS score of 4.3 is classified as medium severity, indicating that while the vulnerability is not trivial to exploit, it can still lead to significant consequences if successfully executed. Administrators should prioritize remediation based on their site’s risk profile.

What is a proof of concept (PoC) in this context?

A proof of concept (PoC) for CVE-2026-9723 would typically involve a crafted HTML page that submits a form to the vulnerable plugin’s settings page. This PoC demonstrates how an attacker can exploit the vulnerability to change settings without proper authorization.

What specific settings can be modified by exploiting this vulnerability?

Exploitation of this vulnerability allows attackers to modify the plusone-lang, plusone-callback, and plusone-url settings of the plugin. This could redirect Google+ share actions to malicious sites or inject harmful scripts, leading to broader security issues.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised due to this vulnerability, immediately review your site’s logs for unauthorized changes, update the plugin, and consider restoring from a backup. Additionally, conduct a full security audit to assess any further risks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 2, 2026

CVE-2026-9723: Google Plus One Bottom <= 0.0.2 Cross-Site Request Forgery to Plugin Settings Update via Settings Page PoC, Patch Analysis & Rule

CVE ID CVE-2026-9723

Plugin google-plus-one-bottom

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 0.0.2

Patched Version —

Disclosed May 31, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-9723 (metadata-based): This is a Cross-Site Request Forgery vulnerability in the Google Plus One Bottom plugin for WordPress, affecting all versions up to and including 0.0.2. The vulnerability allows unauthenticated attackers to modify plugin settings by tricking a site administrator into clicking a malicious link. The CVSS v3.1 score is 4.3 (Medium) with a vector of AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N.

Root Cause: Based on the CWE-352 classification and the vulnerability description, the root cause is missing or incorrect nonce validation on the googlePlusOneAdmin function. In WordPress, admin-facing settings pages and AJAX handlers use a security token called a nonce to verify that requests originate from the legitimate admin session. The plugin’s settings page handler likely processes form submissions without checking for a valid nonce, allowing any cross-origin request to modify settings. Atomic Edge analysis infers this from the CWE classification and description since no source code is available for direct confirmation.

Exploitation: An attacker crafts a malicious HTML page containing an auto-submitting form or a crafted link that targets the WordPress admin settings page for the plugin. The specific endpoint is likely `wp-admin/options-general.php?page=google-plus-one-bottom` or a similar admin page hook. The form contains fields for the vulnerable parameters: plusone-lang, plusone-callback, and plusone-url. When a logged-in administrator visits the malicious page, the form submits without the required nonce, and the plugin’s googlePlusOneAdmin function processes the request, saving the attacker’s values to the WordPress database.

Remediation: The fix requires adding a nonce check to the googlePlusOneAdmin function. The plugin should use `wp_verify_nonce()` or `check_admin_referer()` to validate that the request includes a valid nonce generated by `wp_nonce_field()` or `wp_create_nonce()`. Without the nonce check, the function should reject the request. Additionally, the plugin should implement proper capability checking using `current_user_can()` to ensure only administrators can modify settings, though this would not prevent CSRF on its own.

Impact: Successful exploitation allows an attacker to modify the plugin’s settings stored in the WordPress database. Specifically, the attacker can change the plusone-lang (language), plusone-callback (callback URL), and plusone-url (target URL) options. This could redirect Google+ share actions to malicious domains or inject JavaScript into the callback parameter, leading to stored XSS. A site administrator tricked into clicking a link results in unauthorized settings modification, potentially compromising site functionality or user trust.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-9723 (metadata-based)
# Blocks CSRF exploitation targeting the Google Plus One Bottom settings page
# This rule assumes the vulnerable endpoint is the plugin's admin options page
SecRule REQUEST_URI "@streq /wp-admin/options-general.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-9723 CSRF Attempt via Google Plus One Bottom Plugin Settings',severity:'CRITICAL',tag:'CVE-2026-9723'"
  SecRule ARGS_GET:page "@streq google-plus-one-bottom" "chain"
    SecRule ARGS_POST:plusone-url "@rx ^https?://" 
      "t:none"

Frequently Asked Questions

What is CVE-2026-9723?
Understanding the vulnerability
CVE-2026-9723 is a Cross-Site Request Forgery (CSRF) vulnerability in the Google Plus One Bottom plugin for WordPress, affecting all versions up to and including 0.0.2. It allows unauthenticated attackers to modify plugin settings by tricking an administrator into performing actions without proper nonce validation.
How does the vulnerability work?
Mechanism of the CSRF attack
The vulnerability arises from missing nonce validation in the googlePlusOneAdmin function. An attacker can create a malicious link or page that, when clicked by an administrator, submits a request to change plugin settings without the necessary security checks, allowing unauthorized modifications.
Who is affected by this vulnerability?
Identifying vulnerable users
All WordPress sites using the Google Plus One Bottom plugin version 0.0.2 or earlier are affected. Site administrators are particularly at risk, as they can inadvertently trigger the CSRF attack by clicking on malicious links.
How can I check if my site is vulnerable?
Assessing your plugin version
To determine if your site is vulnerable, check the version of the Google Plus One Bottom plugin installed. If it is version 0.0.2 or lower, your site is at risk. Additionally, review your site’s logs for any suspicious activity related to plugin settings changes.
How can I fix CVE-2026-9723?
Implementing the necessary patch
To fix the vulnerability, update the Google Plus One Bottom plugin to a version that includes nonce validation. If no update is available, you can manually add nonce checks to the googlePlusOneAdmin function using `wp_verify_nonce()` or `check_admin_referer()`.
What are the best practices for mitigating CSRF vulnerabilities?
Preventative measures
Best practices include implementing nonce checks in all admin-facing forms and AJAX requests, ensuring proper user capability checks, and keeping plugins and WordPress core updated. Regularly audit your plugins for vulnerabilities and remove any that are no longer maintained.
What does a CVSS score of 4.3 indicate?
Understanding the risk level
A CVSS score of 4.3 is classified as medium severity, indicating that while the vulnerability is not trivial to exploit, it can still lead to significant consequences if successfully executed. Administrators should prioritize remediation based on their site’s risk profile.
What is a proof of concept (PoC) in this context?
Demonstrating the vulnerability
A proof of concept (PoC) for CVE-2026-9723 would typically involve a crafted HTML page that submits a form to the vulnerable plugin’s settings page. This PoC demonstrates how an attacker can exploit the vulnerability to change settings without proper authorization.
What specific settings can be modified by exploiting this vulnerability?
Potential impacts of exploitation
Exploitation of this vulnerability allows attackers to modify the plusone-lang, plusone-callback, and plusone-url settings of the plugin. This could redirect Google+ share actions to malicious sites or inject harmful scripts, leading to broader security issues.
What should I do if I suspect my site has been compromised?
Responding to potential exploitation
If you suspect your site has been compromised due to this vulnerability, immediately review your site’s logs for unauthorized changes, update the plugin, and consider restoring from a backup. Additionally, conduct a full security audit to assess any further risks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations