[FD] Like Button Rating ♥ LikeBtn allows anybody to set any option (WordPress plugin)

Details ================ Software: Like Button Rating ♥ LikeBtn Version: 2.5.3 Homepage: https://ift.tt/1sqIK9v Advisory report: https://ift.tt/2uYdrcu CVE: Awaiting assignment CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N) Description ================ Like Button Rating ♥ LikeBtn allows anybody to set any option Vulnerability ================ In the init action, this plugin checks to see if $_POST[\’likebtn_import_config\’] is empty. If it’s not empty then it base64-decodes the string, parses it as JSON, and starts changing options. Proof of concept ================ The below form will set the “Site Title” option to “Temmie”:

This works whether you’re logged in or not. The base64-encoded JSON above is this: { \”likebtn_settings_options\”: { \”blogname\”: \”Temmie\” } } Mitigations ================ Upgrade to version 2.5.4 or later. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://ift.tt/1B6NWzd Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2017-10-27: Discovered 2017-11-02: Reported to vendor via email 2017-11-02: Vendor reported fixed Discovered by dxw: ================ Tom Adams Please visit security.dxw.com for more information.

Source: Gmail -> IFTTT-> Blogger

from Blogger http://insidenothing.blogspot.com/2018/04/fd-like-button-rating-likebtn-allows.html
via IFTTT

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s