HTTP: WordPress Like Button 1.6.0 Authentication Bypass
This signature detects attempts to exploit a known vulnerability in the Wordpress Like Button Plugin. A successful attack can lead to change of URL in website settings.
Extended Description
An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter.
Affected Products
Crudlab wp_like_button
References
CVE: CVE-2019-13344
Short Name
HTTP:PHP:CVE-2019-13344-AUTHBY
Severity
Minor
Recommended
False
Recommended Action
None
Category
HTTP
Keywords
1.6.0 Authentication Button Bypass CVE-2019-13344 Like WordPress
Release Date
08/19/2019
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3337
False Positive
Occasionally
Vendors
Crudlab
CVSS Score
5.0