Plugin inspection:

Like Button Rating ♥ LikeBtn

Potentially unsafe

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should very carefully consider its potential problems and should conduct a thorough assessment. Read more about this recommendation.

Warnings

The version of this plugin that this recommendation was based on is known to be vulnerable to attack:

This recommendation applies to version 2.5.3 of this plugin, but the most recent version is 2.6.10. These findings may no longer be correct.

Findings

  • Several ways to call _likebtn_save_vote() with user-supplied data, including one convoluted method which involves setting up a domain name that includes “likebtn.com”. But it looks like voter fraud is the worst thing this enables
  • Doesn’t escape SQL
  • Note that the plugin doesn’t allow you to deactivate it without sending feedback to the plugin authors. But the feedback form appears to introduce a bug which allows any authenticated user (or any unauthenticated user via CSRF) to deactivate the plugin

Reason for the 'Potentially unsafe' result

The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:

Failure criteria

  • Execution of unprepared SQL statements
  • Unsafe request processing

Read more about our failure criteria.