CVE-2019-13344

An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter.
Configurations

Configuration 1 (hide)

cpe:2.3:a:crudlab:wp_like_button:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 04:24

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/153541/WordPress-Like-Button-1.6.0-Authentication-Bypass.html - Exploit, Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/153541/WordPress-Like-Button-1.6.0-Authentication-Bypass.html - Exploit, Third Party Advisory, VDB Entry
References () https://limbenjamin.com/articles/wp-like-button-auth-bypass.html - Exploit, Third Party Advisory () https://limbenjamin.com/articles/wp-like-button-auth-bypass.html - Exploit, Third Party Advisory
References () https://wordpress.org/plugins/wp-like-button/#developers - Release Notes, Third Party Advisory () https://wordpress.org/plugins/wp-like-button/#developers - Release Notes, Third Party Advisory
References () https://wpvulndb.com/vulnerabilities/9432 - () https://wpvulndb.com/vulnerabilities/9432 -

Information

Published : 2019-07-05 16:15

Updated : 2024-11-21 04:24


NVD link : CVE-2019-13344

Mitre link : CVE-2019-13344

CVE.ORG link : CVE-2019-13344


JSON object : View

Products Affected

crudlab

  • wp_like_button
CWE
CWE-306

Missing Authentication for Critical Function