Description
Cross-Site Request Forgery (CSRF) vulnerability in aakash1911 WP likes wp-likes allows Reflected XSS.This issue affects WP likes: from n/a through <= 3.1.1.
Published: 2025-09-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A CSRF flaw in the WP likes plugin also permits reflected XSS, allowing an attacker to forge requests on behalf of authenticated users and inject script via URLs that echo back, compromising user sessions; this weakness is identified as CWE‑352.

Affected Systems

The WordPress WP likes plugin developed by aakash1911 is affected; all released versions up to and including 3.1.1 are vulnerable. Sites using this plugin on WordPress are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate‑to‑high severity, while an EPSS score of < 1% suggests low current exploitation probability, and the vulnerability is not in the CISA KEV catalog. However, because any authenticated user on a site running WP likes <=3.1.1 can be abused via crafted links or forms, the potential damage is significant; the likely attack vector is a simple HTTP request or link embedded in a website, email, or social media post, requiring only access to the vulnerable plugin but not administrative privileges.

Generated by OpenCVE AI on April 30, 2026 at 02:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP likes plugin to a version newer than 3.1.1.
  • Disable or uninstall the WP likes plugin if a newer version is not yet available.
  • Ensure that WordPress nonces or CSRF tokens are required for all state‑changing requests introduced by the plugin.

Generated by OpenCVE AI on April 30, 2026 at 02:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26929 Cross-Site Request Forgery (CSRF) vulnerability in aakash1911 WP likes allows Reflected XSS. This issue affects WP likes: from n/a through 3.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in aakash1911 WP likes allows Reflected XSS. This issue affects WP likes: from n/a through 3.1.1. Cross-Site Request Forgery (CSRF) vulnerability in aakash1911 WP likes wp-likes allows Reflected XSS.This issue affects WP likes: from n/a through <= 3.1.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Sun, 07 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 05 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Sep 2025 14:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in aakash1911 WP likes allows Reflected XSS. This issue affects WP likes: from n/a through 3.1.1.
Title WordPress WP likes Plugin <= 3.1.1 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:15:37.906Z

Reserved: 2025-09-05T10:49:49.115Z

Link: CVE-2025-58848

cve-icon Vulnrichment

Updated: 2025-09-05T14:43:53.651Z

cve-icon NVD

Status : Deferred

Published: 2025-09-05T14:15:58.873

Modified: 2026-04-23T15:33:45.133

Link: CVE-2025-58848

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T02:30:25Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)