CVE-2021-24150
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) attacks through the LikeBtn WordPress plugin. Attackers can make the vulnerable server send HTTP requests to internal systems, potentially accessing sensitive information or services. WordPress sites using the affected plugin versions are at risk.
💻 Affected Systems
- LikeBtn WordPress Like Button Rating plugin
📦 What is this software?
Likebtn Like Button by Likebtn Like Button Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, sensitive data, or use the vulnerable server as a proxy for attacks against internal infrastructure, potentially leading to data breaches or lateral movement.
Likely Case
Attackers scan for vulnerable sites and use them to probe internal networks, access metadata services, or interact with internal APIs to gather information.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to information disclosure from services the web server can reach.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited in automated attacks. Public exploit details are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.32 and later
Vendor Advisory: https://wpscan.com/vulnerability/6bc6023f-a5e7-4665-896c-95afa5b638fb
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'LikeBtn WordPress Like Button Rating' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.6.32+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the LikeBtn plugin until patched
wp plugin deactivate likebtn-like-button
Network egress filtering
linuxRestrict outbound HTTP requests from web servers to only necessary destinations
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SSRF patterns
- Restrict network access from web servers to internal services using firewall rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for LikeBtn plugin version. If version is below 2.6.32, system is vulnerable.Check Version:
wp plugin get likebtn-like-button --field=versionVerify Fix Applied:
Confirm plugin version is 2.6.32 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from web server to internal IPs
- Requests to LikeBtn plugin endpoints with URL parameters
Network Indicators:
- Web server making unexpected HTTP requests to internal services
- Requests to cloud metadata endpoints from web server
SIEM Query:
source="web_server_logs" AND (uri LIKE "%likebtn%" OR uri LIKE "%like-button%") AND (param CONTAINS "http://" OR param CONTAINS "https://")