CVE-2019-13344

MEDIUM

CRUDLab WP Like Button <= 1.6.0 - Unauthenticated Settings Update via contains() Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-13344. PoCs published by Benjamin Lim.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass vulnerability in WP Like Button 1.6.0, allowing unauthenticated attackers to modify plugin settings via a crafted POST request. The PoC uses curl to change the `each_page_url` parameter, enabling Facebook like hijacking.

Description

An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter.

Exploits (1)

exploitdb WORKING POC
by Benjamin Lim · textwebappsphp
https://www.exploit-db.com/exploits/47078

This exploit demonstrates an authentication bypass vulnerability in WP Like Button 1.6.0, allowing unauthenticated attackers to modify plugin settings via a crafted POST request. The PoC uses curl to change the `each_page_url` parameter, enabling Facebook like hijacking.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WP Like Button 1.6.0
No auth needed
Prerequisites: Access to the target WordPress admin interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://limbenjamin.com/articles/wp-like-button-auth-bypass.html
Release Notes, Third Party Advisory x_refsource_misc
https://wordpress.org/plugins/wp-like-button/#developers
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9432

Scores

CVSS v3 5.3
EPSS 0.4510
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE
CWE-306
Status published
Products (1)
crudlab/wp_like_button < 1.6.0
Published Jul 05, 2019
Tracked Since Feb 18, 2026