CVE-2025-3866

The Add Google +1 (Plus one) social share Button plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation on its settings page. All versions up to and including 1.0.0 are affected. This flaw arises from the plugin's failure to implement a proper nonce check when processing requests to update plugin options, leaving administrative actions unprotected against CSRF attacks.

An unauthenticated attacker can exploit this by crafting a malicious request that modifies plugin settings, such as injecting arbitrary JavaScript or other web scripts. The attacker must trick a site administrator into clicking a link or visiting a crafted page while authenticated to WordPress. No special privileges are required for the attacker, and the admin's session is leveraged to perform the unauthorized actions.

Successful exploitation allows the attacker to update plugin options, potentially inserting malicious scripts that execute in the context of the admin's session or the site's frontend. This can lead to stored cross-site scripting (XSS) attacks, enabling further compromise of the site or its users. The plugin has been closed by the WordPress.org team as of April 24, 2025, citing a security issue [1].

As the plugin is no longer available for download and is not being maintained, users are strongly advised to remove it from their WordPress installations immediately. No patch or update is available, and reliance on this plugin poses a continued security risk.