← back
CVE-2019-13344

CVE-2019-13344

EPSS 45.1%
An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter.
Affected products
n/a · n/a
public PoCs found2
cve_referencepacketstormsecurity.com/files/153541/WordPress-Like-Button-1.6.0-Authentication-Bypass.htmlunverifiedexploitdbwww.exploit-db.com/exploits/47078unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/153541/WordPress-Like-Button-1.6.0-Authentication-Bypass.htmlhttps://limbenjamin.com/articles/wp-like-button-auth-bypass.htmlhttps://wordpress.org/plugins/wp-like-button/#developershttps://wpvulndb.com/vulnerabilities/9432