Cyber Resilience

CVE-2026-34904

High

Published: 07 April 2026

Published
07 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34904 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34904 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Simple Social Media Share Buttons WordPress plugin, also referred to as Analytify Simple Social Media Share Buttons. The flaw affects all versions from n/a through 6.2.0. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to potential impacts on confidentiality, integrity, and availability.

An unauthenticated attacker (PR:N) can exploit this CSRF vulnerability over the network (AV:N) by tricking an authenticated user into performing unintended actions, which requires user interaction such as visiting a malicious site (UI:R/AC:H). Successful exploitation could lead to high-impact outcomes, including unauthorized access or modification of data (C:H/I:H) and disruption of services (A:H), within the unchanged security scope (S:U).

For mitigation details, security practitioners should refer to the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/simple-social-buttons/vulnerability/wordpress-simple-social-media-share-buttons-plugin-6-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in Analytify Simple Social Media Share Buttons allows Cross Site Request Forgery.This issue affects Simple Social Media Share Buttons: from n/a through 6.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF vulnerability in public-facing WordPress plugin enables exploitation of the application (T1190) via malicious link requiring user interaction (T1204.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-25121Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2024-26153Shared CWE-352
CVE-2025-28860Shared CWE-352
CVE-2026-45430Shared CWE-352
CVE-2025-23880Shared CWE-352
CVE-2025-59541Shared CWE-352
CVE-2026-23622Shared CWE-352
CVE-2025-23445Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 mandates mechanisms like anti-CSRF tokens to protect session authenticity, directly preventing forged requests in this CSRF vulnerability.

prevent

SI-2 requires timely flaw remediation, directly addressing this specific CSRF vulnerability in the WordPress plugin through patching.

prevent

SI-10 enforces input validation for elements like CSRF tokens or referer headers, mitigating the forged request aspect of this vulnerability.

References