CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47820 – WordPress WP Like Button plugin <= 1.7.0 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-47820
15 Nov 2023 — Missing Authorization vulnerability in CRUDLab WP Like Button allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Like Button: from n/a through 1.7.0. The WP Like Button plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the crublabFBLBAjax function in versions up to, and including, 1.7.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to enable and disable the lik... • https://patchstack.com/database/wordpress/plugin/wp-like-button/vulnerability/wordpress-wp-like-button-plugin-1-7-0-broken-access-control-csrf-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40199 – WordPress WP Like Button Plugin <= 1.7.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-40199
11 Aug 2023 — Cross-Site Request Forgery (CSRF) vulnerability in CRUDLab WP Like Button plugin <= 1.7.0 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento CRUDLab WP Like Button en versiones <= 1.7.0. The WP Like Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.11. This is due to missing or incorrect nonce validation on the 'saveData' function. This makes it possible for unauthenticated attackers to save button options via a forg... • https://patchstack.com/database/vulnerability/wp-like-button/wordpress-wp-like-button-plugin-1-6-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 32%CPEs: 1EXPL: 3CVE-2019-13344 – WP Like Button <= 1.6.0 - Missing Authorization
https://notcve.org/view.php?id=CVE-2019-13344
05 Jul 2019 — An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter. Una vulnerabilidad de omisión de autenticación en el plugin ... • https://www.exploit-db.com/exploits/47078 • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •