CVE-2026-6401

Name of the Vulnerable Software and Affected Versions Bottom Bar versions prior to 0.1.8

Description The Bottom Bar plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into performing actions they did not intend to do. The issue exists in the settings update forms handled in 'bottom-bar-admin.php' because they lack nonce verification. Specifically, the main settings, sharing services, and restore defaults forms do not include wp nonce field(), and the server-side code fails to call check admin referer() or equivalent validation before processing POST data via update option(). This allows unauthenticated attackers to deceive a logged-in administrator into submitting a crafted request to modify configuration options, including language settings, maximum post counts, or enabled sharing services.

Recommendations Update to a version later than 0.1.7. As a temporary workaround, restrict access to the 'bottom-bar-admin.php' file to minimize the risk of exploitation.