Attack Vectors

WP ULike – Like & Dislike Buttons for Engagement and Feedback (slug: wp-ulike) is affected by a Medium-severity vulnerability (CVSS 6.4) tracked as CVE-2026-2358.

The issue can be exploited by an authenticated user with Contributor-level access (or higher) who can create or edit content and insert the [wp_ulike_likers_box] shortcode with a crafted attribute. Because it is a stored cross-site scripting (XSS) risk, the malicious code can run later whenever other users (including administrators, editors, staff, or site visitors) load the affected page.

This makes the risk particularly relevant for organizations that allow multiple internal users, agencies, freelancers, or partners to publish or contribute content—especially where WordPress roles are broadly assigned or where accounts are shared.

Security Weakness

In versions up to and including 5.0.1, the plugin is reported to be vulnerable to Stored Cross-Site Scripting via the template attribute of the [wp_ulike_likers_box] shortcode.

According to the published analysis, the weakness stems from using html_entity_decode() on shortcode attributes without later sanitizing the output. This can effectively bypass WordPress’s normal content filtering (including wp_kses_post()), enabling an authenticated attacker to inject scripts that execute in other users’ browsers when viewing the compromised content.

At the time of writing, the remediation guidance indicates no known patch is available. The primary risk decision is therefore operational: whether to continue running the plugin while implementing mitigations, or to remove/replace it based on your organization’s risk tolerance.

Technical or Business Impacts

Although the severity is rated Medium, stored XSS can create outsized business risk because it can be used to target high-value users (e.g., site admins) and persist until found and removed. Potential impacts include:

Account compromise and privilege escalation: If an administrator views an injected page while logged in, the attacker may be able to perform actions in that admin’s browser session (e.g., changing settings, creating new users, or planting additional backdoors), depending on what defenses and browser protections are in place.

Brand and customer trust damage: Injected scripts can redirect visitors, display fraudulent prompts, or alter page content—creating reputational harm and undermining campaign performance, conversion rates, and audience trust.

Compliance and reporting exposure: If a malicious script captures personal data or authentication details, it can trigger incident response obligations (contractual, regulatory, or client-driven). Marketing and analytics integrity can also be impacted if pages are modified or user activity is manipulated.

Operational disruption: Investigating and cleaning stored XSS often requires content audits, user access reviews, and potentially emergency changes (disabling features/plugins), which can interrupt publishing schedules and active campaigns.

Mitigation options while evaluating next steps (given no known patch): consider uninstalling and replacing the affected plugin; restrict or remove Contributor access where feasible; require editorial review workflows; audit posts/pages for usage of [wp_ulike_likers_box] (especially the template attribute); and use a website firewall and logging/alerting to detect suspicious content changes and admin actions.

Similar Attacks

Stored XSS in WordPress plugins is a recurring pattern because it can turn normal publishing features (shortcodes, form fields, widgets) into a persistent injection point. For reference, here are examples of real, publicly documented XSS cases in the WordPress ecosystem:

CVE-2019-9978 (Social Warfare plugin) — XSS
CVE-2021-25036 (WordPress plugin) — Stored XSS class issue

Source for this vulnerability write-up: Wordfence Threat Intelligence.