CVE-2019-13344

WP Like Button <= 1.6.0 - Missing Authorization

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter.

Una vulnerabilidad de omisión de autenticación en el plugin WP Like Button hasta versión 1.6.0 en CRUDLab para WordPress, permite a los atacantes no autenticados cambiar la configuración. La función contains() en el archivo wp_like_button.php no comprueba si la petición actual es realizada por un usuario autorizado, permitiendo así que cualquier usuario no autenticado actualice con éxito la configuración, como es demostrado por el parámetro each_page_url o code_snippet de wp-admin/admin.php?page=facebook-like-button.

WordPress Like Button plugin version 1.6.0 suffers from an authentication bypass vulnerability.

*Credits: Benjamin Lim

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-07-05 CVE Reserved
2019-07-05 CVE Published
2019-07-08 First Exploit
2024-08-15 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-306: Missing Authentication for Critical Function
CWE-862: Missing Authorization

CAPEC

References (5)

URL	Tag	Source
https://wordpress.org/plugins/wp-like-button/#developers	Release Notes
https://wpvulndb.com/vulnerabilities/9432	X_refsource_misc

URL	Date	SRC
https://www.exploit-db.com/exploits/47078	2019-07-08
http://packetstormsecurity.com/files/153541/WordPress-Like-Button-1.6.0-Authentication-Bypass.html	2024-08-04
https://limbenjamin.com/articles/wp-like-button-auth-bypass.html	2024-08-04

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Crudlab Search vendor "Crudlab"		Wp Like Button Search vendor "Crudlab" for product "Wp Like Button"				<= 1.6.0 Search vendor "Crudlab" for product "Wp Like Button" and version " <= 1.6.0"		wordpress		Affected