CVE-2019-13344

Name of the Vulnerable Software and Affected Versions CRUDLab WP Like Button plugin versions prior to 1.6.1

Description The issue allows unauthenticated attackers to change settings due to an authentication bypass. The contains() function in wp like button.php did not check if the current request is made by an authorized user. This allows any unauthenticated user to successfully update settings, as demonstrated by the "wp-admin/admin.php?page=facebook-like-button" endpoint with the each page url or code snippet parameter.

Recommendations For CRUDLab WP Like Button plugin versions prior to 1.6.1, update to version 1.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp-admin/admin.php?page=facebook-like-button endpoint to minimize the risk of exploitation. Avoid using the each page url and code snippet parameters in the affected endpoint until the issue is resolved.