CVE-2021-24945 - OpenCVE

The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Likebtn	Like Button Rating

Configuration 1 [-]

cpe:2.3:a:likebtn:like_button_rating:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://wpscan.com/vulnerability/d7618061-a7fa-4da4-9384-be19bc5e8548

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2021-12-13T10:41:23

Updated: 2024-08-03T19:49:14.290Z

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24945

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-12-13T11:15:09.617

Modified: 2023-11-07T03:31:22.173

Link: CVE-2021-24945

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Like Button Rating \u2665 LikeBtn", "vendor": "Unknown", "versions": [{"lessThan": "2.6.38", "status": "affected", "version": "2.6.38", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Krzysztof Zaj\u0105c"}], "descriptions": [{"lang": "en", "value": "The Like Button Rating \u2665 LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-13T10:41:23", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/d7618061-a7fa-4da4-9384-be19bc5e8548"}], "source": {"discovery": "EXTERNAL"}, "title": "Like Button Rating < 2.6.38 - Unauthorised Vote Export to Email & IP Addresses Disclosure", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24945", "STATE": "PUBLIC", "TITLE": "Like Button Rating < 2.6.38 - Unauthorised Vote Export to Email & IP Addresses Disclosure"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Like Button Rating \u2665 LikeBtn", "version": {"version_data": [{"version_affected": "<", "version_name": "2.6.38", "version_value": "2.6.38"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Krzysztof Zaj\u0105c"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Like Button Rating \u2665 LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/d7618061-a7fa-4da4-9384-be19bc5e8548", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/d7618061-a7fa-4da4-9384-be19bc5e8548"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:49:14.290Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/d7618061-a7fa-4da4-9384-be19bc5e8548"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24945", "datePublished": "2021-12-13T10:41:23", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2024-08-03T19:49:14.290Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:likebtn:like_button_rating:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "2C582F29-CAE1-4834-97DD-0AF333F3F5BE", "versionEndExcluding": "2.6.38", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Like Button Rating \u2665 LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog."}, {"lang": "es", "value": "El plugin Like Button Rating \u00e2\u2122\u00a5 LikeBtn de WordPress versiones anteriores a 2.6.38, no presenta comprobaciones de autorizaci\u00f3n y CSRF en la acci\u00f3n likebtn_export_votes AJAX, lo que podr\u00eda permitir a cualquier usuario autenticado, como el suscriptor, conseguir una lista de direcciones de correo electr\u00f3nico e IP de las personas a las que les ha gustado el contenido del blog"}], "id": "CVE-2021-24945", "lastModified": "2023-11-07T03:31:22.173", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-13T11:15:09.617", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/d7618061-a7fa-4da4-9384-be19bc5e8548"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "contact@wpscan.com", "type": "Secondary"}]}