Like Button Rating ♥ LikeBtn

Potentially unsafe

Last revised: April 10, 2018

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should very carefully consider its potential problems and should conduct a thorough assessment. Read more about this recommendation.

Warnings

The version of this plugin that this recommendation was based on is known to be vulnerable to attack:

Like Button Rating ♥ LikeBtn allows anybody to set any option

This recommendation applies to version 2.5.3 of this plugin, but the most recent version is 2.6.52. These findings may no longer be correct.

Findings

Several ways to call _likebtn_save_vote() with user-supplied data, including one convoluted method which involves setting up a domain name that includes “likebtn.com”. But it looks like voter fraud is the worst thing this enables
Doesn’t escape SQL
Note that the plugin doesn’t allow you to deactivate it without sending feedback to the plugin authors. But the feedback form appears to introduce a bug which allows any authenticated user (or any unauthenticated user via CSRF) to deactivate the plugin

Reason for the 'Potentially unsafe' result

The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:

Allows anybody to set any option in the wp_options table

Failure criteria

Execution of unprepared SQL statements
Unsafe request processing

dxw advisories

Plugin inspection: