Description
The Like-it plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the likeit_conf() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-11-18
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Patch Now
AI Analysis

Impact

The Like‑it WordPress plugin suffers from a missing nonce check in the likeit_conf() handler, enabling a Cross‑Site Request Forgery that lets an unauthenticated attacker change plugin settings and inject a malicious script that is stored for later display. The attack, identified as CWE‑352, effectively gives the attacker the ability to execute arbitrary JavaScript in the context of the site’s visitors when the destroyed settings are rendered, allowing defacement, credential theft, or further exploitation of the host. This flaw is present in every version of Like‑it up to and including 2.2, affecting WordPress sites that have installed or upgraded to these releases. The plugin is maintained by nikolayyordanov and can be identified in the WordPress plugin base, with the vulnerable function located in like‑it.php around line 130–131 as noted in the plugin source. The risk profile reflects a medium CVSS score of 6.1, but the EPSS score of <1 % suggests that widespread exploitation is unlikely at the moment, and the issue is not currently listed in CISA’s KEV database. Nevertheless, the administrative interface must be used carefully: an attacker must trick a site administrator into clicking a crafted link or form submission, after which the CSRF bypass permits the settings overwrite and insertion of a persistent XSS payload. The exploit does not require credentials and has no direct impact on the WordPress core, but it does open the site to arbitrary JavaScript execution by anyone viewing the affected settings.

Affected Systems

WordPress installations running the Like‑it plugin version 2.2 or older. The plugin, developed by nikolayyordanov, is available in the WordPress plugin repository. Administrators of sites hosting any of these releases are at risk.

Risk and Exploitability

Due to the missing nonce validation, an attacker can form a request to the likeit_conf() endpoint and, using a link that an admin might click, change configuration settings and persist a malicious script. The exploit relies on social engineering to get the administrator to trigger the request; it does not require any authentication or advanced privilege. The CVSS score of 6.1 indicates a medium severity, and the EPSS of <1 % indicates low probability of large‑scale exploitation, but the flaw is public and could be used for targeted attacks.

Generated by OpenCVE AI on April 22, 2026 at 11:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Like‑it plugin to the latest released version that contains the nonce fix – any release beyond 2.2 removes the vulnerability.
  • Implement a Web Application Firewall or host‑level rule that blocks or alerts on unexpected modifications to plugin configuration settings, or specifically blocks POST requests to the likeit_conf() endpoint without a valid nonce.
  • Ensure site administrators use multi‑factor authentication and practice strict link review to reduce the chance an attacker can induce a CSRF request.

Generated by OpenCVE AI on April 22, 2026 at 11:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 18 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Like-it plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the likeit_conf() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Like-it <= 2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:54.936Z

Reserved: 2025-10-28T14:32:51.804Z

Link: CVE-2025-12404

cve-icon Vulnrichment

Updated: 2025-11-18T14:59:22.273Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T09:15:48.113

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses