WP Like Button <= 1.7.0 – Missing Authorization via crublabFBLBAjax | CVE 2023-47820 | Plugin Vulnerabilities

Description

The WP Like Button plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the crublabFBLBAjax function in versions up to, and including, 1.7.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to enable and disable the like button if they are able to retrieve a nonce via a nonce leak.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/da550fd7-3c1a-4b07-afc0-2366e0f5cccd

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Abdi Pranata

Verified

No

WPVDB ID

d98f62d8-fc99-471d-a9c9-53b5c6bd28d1

Timeline

Publicly Published

2023-11-15 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-01-21

Title

Houzez < 3.4.2 - Missing Authorization

Published

2026-02-24

Title

Post Duplicator < 3.0.9 - Missing Authorization to Authenticated (Contributor+) Protected Post Meta Insertion via 'customMetaData' Parameter

Published

2026-01-15

Title

NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar < 3.2.2 - Missing Authorization

Published

2024-12-17

Title

CRM WordPress Plugin – RepairBuddy < 3.8122 - Missing Authorization to Account Takeover/Privilege Escalation

Published

2026-01-25

Title

Booter < 1.5.8 - Missing Authorization