CVE-2021-24945 in LikeBtn Like Button Rating
Summary
by MITRE • 12/13/2021
The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/16/2021
The vulnerability identified as CVE-2021-24945 affects the Like Button Rating plugin for WordPress, specifically versions prior to 2.6.38. This issue represents a critical authorization and cross-site request forgery weakness that fundamentally undermines the security posture of affected WordPress installations. The vulnerability exists within the likebtn_export_votes AJAX action, which is designed to export voting data but fails to implement proper access controls or CSRF protection mechanisms. This flaw enables any authenticated user account, regardless of role level including subscribers, to exploit the functionality and obtain sensitive information about users who have interacted with content on the blog.
The technical implementation of this vulnerability stems from the plugin's failure to validate user permissions before executing the export functionality. According to CWE-863, this represents a "Incorrect Authorization" vulnerability where the application does not properly verify that the requesting user has adequate privileges to perform the requested operation. The absence of CSRF protection means that malicious actors could potentially craft requests that exploit this vulnerability without user knowledge, though the requirement for authentication provides some mitigation against automated attacks. The exported data includes email addresses and IP addresses of users who have engaged with content, creating a significant privacy risk for the WordPress site's visitors.
The operational impact of this vulnerability extends beyond simple data exposure, as it creates a potential avenue for social engineering attacks and user enumeration. Attackers could systematically gather information about users who have interacted with specific content, potentially identifying active users or contributors to particular discussions. This information could then be used for targeted phishing campaigns, account takeover attempts, or to build profiles of user engagement patterns. The vulnerability affects any WordPress installation running the affected plugin version, regardless of the site's security configuration or the user's role within the system. Organizations may find that their existing security measures, such as firewalls or intrusion detection systems, fail to prevent this particular attack vector due to its legitimate API endpoint nature.
Mitigation strategies should prioritize immediate plugin updates to version 2.6.38 or later, which contains the necessary authorization and CSRF protection fixes. Administrators should also implement additional monitoring of AJAX endpoints to detect unusual access patterns or unauthorized data export requests. The principle of least privilege should be enforced by ensuring that only administrators or designated users have access to sensitive data export functionality. This vulnerability aligns with ATT&CK technique T1213.002 for Data from Information Repositories, as it enables unauthorized access to user data stored within the WordPress environment. Organizations should also consider implementing web application firewalls that can detect and block suspicious AJAX requests, and conduct regular security audits to identify similar authorization flaws in other plugins or custom code implementations.