The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog.
[
{
"product": "Like Button Rating ♥ LikeBtn",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.6.38",
"status": "affected",
"version": "2.6.38",
"versionType": "custom"
}
]
}
]