Bottom Bar WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Bottom Bar plugin for WordPress, affecting all versions up to and including 0.1.7. The vulnerability arises from a lack of nonce verification in the plugin's settings update forms, which are managed in the 'bottom-bar-admin.php' file. None of the three settings forms—main settings, sharing services, and restore defaults—include the necessary nonce fields. As a result, the server-side processing code does not validate nonce data before handling POST requests and updating plugin options. This flaw allows unauthenticated attackers to manipulate a logged-in administrator into sending a modified request that alters plugin settings, such as the language, maximum post counts, or active sharing services.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in the plugin's configuration by manipulating a logged-in administrator's settings.