CVE-2019-13344
N/A
N/A
Summary
An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://limbenjamin.com/articles/wp-like-button-auth-bypass.html
- https://wordpress.org/plugins/wp-like-button/#developers
- http://packetstormsecurity.com/files/153541/WordPress-Like-Button-1.6.0-Authentication-Bypass.html
- https://wpvulndb.com/vulnerabilities/9432
References
- https://limbenjamin.com/articles/wp-like-button-auth-bypass.html
- https://wordpress.org/plugins/wp-like-button/#developers
- http://packetstormsecurity.com/files/153541/WordPress-Like-Button-1.6.0-Authentication-Bypass.html
- https://wpvulndb.com/vulnerabilities/9432
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.