Platform
wordpress
Component
simple-social-buttons
Fixed in
6.2.1
6.2.1
CVE-2026-34904 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Simple Social Media Share Buttons plugin for WordPress. A CSRF vulnerability allows an attacker to perform unauthorized actions on behalf of an authenticated user, such as a site administrator, if they can trick the user into clicking a malicious link. This vulnerability impacts versions of the plugin up to and including 6.2.0, and a patch is available in version 6.2.1.
The Cross-Site Request Forgery (CSRF) vulnerability in the Simple Social Media Share Buttons plugin affects all versions up to and including 6.2.0. This means an attacker could trick a website administrator into performing unauthorized actions, such as changing plugin settings or installing malicious content, simply by clicking a specially crafted link. The lack of proper nonce validation allows this attack, as the plugin doesn't adequately verify the authenticity of requests. The CVSS score of 4.3 indicates a moderate risk, but the possibility of a legitimate administrator falling victim to this manipulation requires immediate attention. This is particularly concerning as administrators often have broad permissions, which could lead to significant site compromise if exploited successfully.
An attacker could create a malicious website or send an email with a link that, when visited by an administrator with the vulnerable plugin version, would execute an unauthorized action on the administrator's website. This attack relies on the administrator's trust in the link or website. The attacker doesn't need to know the administrator's credentials, only to trick them into performing the action. The attack's effectiveness depends on the attacker's ability to deceive the administrator, which can be achieved through phishing techniques or creating websites that resemble the WordPress admin interface.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The most effective solution is to update the Simple Social Media Share Buttons plugin to version 6.2.1 or higher. This update includes the necessary fix for nonce validation, mitigating the CSRF vulnerability. If an immediate update isn't possible, consider implementing additional security measures, such as restricting administrative access, educating administrators about CSRF risks, and using a security plugin that offers CSRF protection. Regular website backups before applying any updates or configuration changes are crucial. Additionally, monitoring website activity for suspicious behavior can help detect and respond to potential attacks.
Update to version 6.2.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
A CSRF (Cross-Site Request Forgery) attack tricks an authenticated user into performing unwanted actions in a web application.
The update fixes the vulnerability that allows attackers to perform unauthorized actions on your website.
Implement additional security measures, such as restricting administrative access and using a security plugin.
Educate your administrators about CSRF risks and how to identify suspicious links or websites.
There are WordPress security plugins that offer CSRF protection and can help detect suspicious activity.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.