CVE-2019-13344
published 2019-07-05CVE-2019-13344: An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings…
PriorityP355medium5.3CVSS 3.0
AVNACLPRNUINSUCNILAN
EXPLOIT
EPSS
45.09%
98.6th percentile
An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crudlab | wp_like_button | <= 1.6.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl -k -i --raw -X POST -d "page=facebook-like-button&site_url=https%%3A%%2F%%2Flocalhost%%2Fwp&display[]=1&display[]=2&display[]=4&display[]=16&mobile=1&fb_app_id=&fb_app_admin=&kd=0&fblb_default_upload_image=&code_snippet=%%3C%%3Fphp+echo+fb_like_button()%%3B+%%3F%%3E&beforeafter=before&eachpage=url&each_page_url=https://hijack.com&language=en_US&width=65&position=center&layout=box_count&action=like&color=light&btn_size=small&faces=1&share=1&update_fblb="↗
- →Detect unauthenticated POST requests to the WordPress admin plugin settings page for WP Like Button — any POST to /wp-admin/admin.php?page=facebook-like-button without a valid authenticated session cookie should be flagged as exploitation of CVE-2019-13344. ↗
- →Alert on POST requests containing the parameter 'update_fblb' in the body targeting /wp-admin/admin.php?page=facebook-like-button, which is the trigger parameter used to save settings in the vulnerable plugin. ↗
- →Monitor for the 'code_snippet' POST parameter being set to PHP code (e.g. containing '<?php') in requests to the WP Like Button admin page, which could indicate an attacker injecting arbitrary code via the unauthenticated settings update. ↗
- →The vulnerable code path is the contains() function in wp_like_button.php; source code review or file integrity monitoring of this file can confirm whether the authorization check is absent. ↗
- ·The vulnerability affects WP Like Button plugin version 1.6.0 and below (including 1.5.0). The vendor released v1.6.0 but did not fix the issue; no patched version was available at time of disclosure. Detections should target all installs up to and including v1.6.0. ↗
- ·The exploit requires no authentication whatsoever — the POST request does not need any session cookie or nonce, making it trivially exploitable by any unauthenticated remote attacker. ↗
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153541/WordPress-Like-Button-1.6.0-Authentication-Bypass.htmlhttps://limbenjamin.com/articles/wp-like-button-auth-bypass.htmlhttps://wordpress.org/plugins/wp-like-button/#developershttps://wpvulndb.com/vulnerabilities/9432http://packetstormsecurity.com/files/153541/WordPress-Like-Button-1.6.0-Authentication-Bypass.htmlhttps://limbenjamin.com/articles/wp-like-button-auth-bypass.htmlhttps://wordpress.org/plugins/wp-like-button/#developershttps://wpvulndb.com/vulnerabilities/9432
2019-07-05
Published