WordPress Plugin Vulnerabilities

WP Like Button < 1.6.4 - Auth Bypass

Description

Authentication Bypass vulnerability in the WP Like Button (Free) plugin
version 1.6.0 allows unauthenticated attackers to change the settings of
the plugin. The contains() function in wp_like_button.php did not check if
the current request is made by an authorized user, thus allowing any
unauthenticated user to successfully update the settings of the plugin.

Affects Plugins

Plugin icon
wp-like-button
Fixed in 1.6.4

References

CVE
CVE-2019-13344
Exploitdb
47078
URL
https://packetstormsecurity.com/files/#153541/
URL
https://limbenjamin.com/articles/wp-like-button-auth-bypass.html

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Benjamin Lim
Submitter
Benjamin Lim
Submitter website
https://limbenjamin.com
Verified
Yes
WPVDB ID
d41be606-2f0e-4918-b8e2-384f0289c1d0

Timeline

Publicly Published
2019-07-05 (about 4 years ago)
Added
2019-07-09 (about 4 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2014-08-01
Title
Spam Free Plugin 1.9.2 - IP Blocklist Restriction Bypass
Published
2014-08-01
Title
G-Lock Double Opt-in Manager - Two Security Bypass Vulnerabilities
Published
2023-12-27
Title
Checkout Mestres WP < 7.1.9.8 - Authentication Bypass via Password Reset
Published
2023-05-15
Title
RegistrationMagic < 5.2.1.1 - Unauthenticated Authentication Bypass
Published
2023-05-17
Title
MStore API < 3.9.1 - Authentication Bypass