CVE-2021-24945

Published: Dec 13, 2021Modified: Jun 17, 2026

8.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.1 / Impact: 5.9

Source: NVD

Description

The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog.

Affected (1)

Products: Likebtn: Like Button Rating

1 product

Like Button Rating

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Likebtn Like Button Rating	Before 2.6.38

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://wpscan.com/vulnerability/d7618061-a7fa-4da4-9384-be19bc5e8548

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/d7618061-a7fa-4da4-9384-be19bc5e8548

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.