Vulnerability Details CVE-2019-13344
An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.198
EPSS Ranking 95.2%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- http://packetstormsecurity.com/files/153541/WordPress-Like-Button-1.6.0-Authentication-Bypass.html
- https://limbenjamin.com/articles/wp-like-button-auth-bypass.html
- https://wordpress.org/plugins/wp-like-button/#developers
- https://wpvulndb.com/vulnerabilities/9432
- http://packetstormsecurity.com/files/153541/WordPress-Like-Button-1.6.0-Authentication-Bypass.html
- https://limbenjamin.com/articles/wp-like-button-auth-bypass.html
- https://wordpress.org/plugins/wp-like-button/#developers
- https://wpvulndb.com/vulnerabilities/9432
Products affected by CVE-2019-13344
-
cpe:2.3:a:crudlab:wp_like_button:1.0.0
-
cpe:2.3:a:crudlab:wp_like_button:1.0.2
-
cpe:2.3:a:crudlab:wp_like_button:1.2.5
-
cpe:2.3:a:crudlab:wp_like_button:1.2.6
-
cpe:2.3:a:crudlab:wp_like_button:1.2.7
-
cpe:2.3:a:crudlab:wp_like_button:1.2.8
-
cpe:2.3:a:crudlab:wp_like_button:1.2.9
-
cpe:2.3:a:crudlab:wp_like_button:1.3.0
-
cpe:2.3:a:crudlab:wp_like_button:1.3.1
-
cpe:2.3:a:crudlab:wp_like_button:1.3.2
-
cpe:2.3:a:crudlab:wp_like_button:1.3.3
-
cpe:2.3:a:crudlab:wp_like_button:1.3.4
-
cpe:2.3:a:crudlab:wp_like_button:1.3.7
-
cpe:2.3:a:crudlab:wp_like_button:1.3.8
-
cpe:2.3:a:crudlab:wp_like_button:1.3.9
-
cpe:2.3:a:crudlab:wp_like_button:1.4.10
-
cpe:2.3:a:crudlab:wp_like_button:1.4.11
-
cpe:2.3:a:crudlab:wp_like_button:1.4.20
-
cpe:2.3:a:crudlab:wp_like_button:1.4.5
-
cpe:2.3:a:crudlab:wp_like_button:1.4.50
-
cpe:2.3:a:crudlab:wp_like_button:1.4.6
-
cpe:2.3:a:crudlab:wp_like_button:1.4.60
-
cpe:2.3:a:crudlab:wp_like_button:1.4.61
-
cpe:2.3:a:crudlab:wp_like_button:1.4.62
-
cpe:2.3:a:crudlab:wp_like_button:1.4.7
-
cpe:2.3:a:crudlab:wp_like_button:1.4.8
-
cpe:2.3:a:crudlab:wp_like_button:1.4.9
-
cpe:2.3:a:crudlab:wp_like_button:1.5.0
-
cpe:2.3:a:crudlab:wp_like_button:1.6.0