CVE-2021-24945

CVSS v3.1

8.0

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: LikeBtn WordPress plugin versions prior to 2.6.38

Description: The issue concerns a lack of authorization and CSRF checks in the likebtn export votes AJAX action. This could allow any authenticated user, such as a subscriber, to obtain a list of email and IP addresses of individuals who liked content from the blog.

Recommendations: For versions prior to 2.6.38, update to version 2.6.38 or later to resolve the issue. As a temporary workaround, consider disabling the likebtn export votes AJAX action until a patch is available. Restrict access to the likebtn export votes endpoint to minimize the risk of exploitation. Avoid using the likebtn export votes action in the affected API endpoint until the issue is resolved.

Exploit

Fix

Information Disclosure

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-352

Related Identifiers

CVE-2021-24945

Affected Products

Likebtn

CVE-2021-24945

Weakness Enumeration

Related Identifiers

Affected Products

References · 4