Vulnerability Description
An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Crudlab | Wp Like Button | <= 1.6.0 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/153541/WordPress-Like-Button-1.6.0-AuthentiExploitThird Party AdvisoryVDB Entry
- https://limbenjamin.com/articles/wp-like-button-auth-bypass.htmlExploitThird Party Advisory
- https://wordpress.org/plugins/wp-like-button/#developersRelease NotesThird Party Advisory
- https://wpvulndb.com/vulnerabilities/9432
- http://packetstormsecurity.com/files/153541/WordPress-Like-Button-1.6.0-AuthentiExploitThird Party AdvisoryVDB Entry
- https://limbenjamin.com/articles/wp-like-button-auth-bypass.htmlExploitThird Party Advisory
- https://wordpress.org/plugins/wp-like-button/#developersRelease NotesThird Party Advisory
- https://wpvulndb.com/vulnerabilities/9432
FAQ
What is CVE-2019-13344?
CVE-2019-13344 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.p...
How severe is CVE-2019-13344?
CVE-2019-13344 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-13344?
Check the references section above for vendor advisories and patch information. Affected products include: Crudlab Wp Like Button.