CVE-2026-34904
Published: 07 April 2026
Summary
CVE-2026-34904 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-34904 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Simple Social Media Share Buttons WordPress plugin, also referred to as Analytify Simple Social Media Share Buttons. The flaw affects all versions from n/a through 6.2.0. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to potential impacts on confidentiality, integrity, and availability.
An unauthenticated attacker (PR:N) can exploit this CSRF vulnerability over the network (AV:N) by tricking an authenticated user into performing unintended actions, which requires user interaction such as visiting a malicious site (UI:R/AC:H). Successful exploitation could lead to high-impact outcomes, including unauthorized access or modification of data (C:H/I:H) and disruption of services (A:H), within the unchanged security scope (S:U).
For mitigation details, security practitioners should refer to the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/simple-social-buttons/vulnerability/wordpress-simple-social-media-share-buttons-plugin-6-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19596
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Analytify Simple Social Media Share Buttons allows Cross Site Request Forgery.This issue affects Simple Social Media Share Buttons: from n/a through 6.2.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing WordPress plugin enables exploitation of the application (T1190) via malicious link requiring user interaction (T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 mandates mechanisms like anti-CSRF tokens to protect session authenticity, directly preventing forged requests in this CSRF vulnerability.
SI-2 requires timely flaw remediation, directly addressing this specific CSRF vulnerability in the WordPress plugin through patching.
SI-10 enforces input validation for elements like CSRF tokens or referer headers, mitigating the forged request aspect of this vulnerability.