Main Vulnerability Database SB2019070503

SB2019070503 - Authentication bypass in WP Like Button plugin for WordPress

Published: July 5, 2019 Updated: July 18, 2019

Security Bulletin ID SB2019070503

CSH Severity

Medium

Patch available

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Authentication (CVE-ID: CVE-2019-13344)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the "contains()" function in "wp_like_button.php" does not check if the current request is made by an authorized user. A remote attacker can bypass authentication process and update the settings of the plugin.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://limbenjamin.com/articles/wp-like-button-auth-bypass.html
https://wordpress.org/plugins/wp-like-button/#developers