Description
The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/d7618061-a7fa-4da4-9384-be19bc5e8548
Scores
CVSS v3
8.0
EPSS
0.0056
EPSS Percentile
42.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-200
CWE-352
Status
published
Products (1)
likebtn/like_button_rating
< 2.6.38
Published
Dec 13, 2021
Tracked Since
Feb 18, 2026