Like Button Rating < 2.6.38 - Unauthorised Vote Export to Email & IP Addresses Disclosure
CVE-2021-24945

8HIGH

Key Information:

Vendor: Wordpress
Status: Like Button Rating ♥ Likebtn
Vendor: CVE Published:; 13 December 2021

Summary

The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog.

Affected Version(s)

Like Button Rating ♥ LikeBtn 2.6.38

References

https://wpscan.com/vulnerability/d7618061-a7fa-4da4-9384-...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 13, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

Krzysztof Zając