Description
The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all versions up to, and including, 5.0.1. This is due to the use of `html_entity_decode()` on shortcode attributes without subsequent output sanitization, which effectively bypasses WordPress's `wp_kses_post()` content filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The post must have at least one like for the XSS to render.
Published: 2026-03-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

Key detail from vendor description: the WP ULike plugin for WordPress contains a stored cross‑site scripting vulnerability in the `[wp_ulike_likers_box]` shortcode `template` attribute. The plugin applies `html_entity_decode()` to shortcode attributes without performing subsequent output sanitization, effectively bypassing WordPress’s default `wp_kses_post()` content filtering. This flaw allows authenticated attackers with Contributor‑level access or higher to inject arbitrary JavaScript that will run whenever a page containing a post with at least one like is viewed by any user, directly affecting confidentiality, integrity, and availability of the site’s front‑end.

Affected Systems

The vulnerability affects all installations of the WP ULike plugin from vendor alimir, specifically all versions up to and including 5.0.1. WordPress sites that have the plugin activated and employ the `[wp_ulike_likers_box]` shortcode in any page or post are at risk.

Risk and Exploitability

The CVSS score for this issue is 6.4, indicating medium severity. The EPSS score is less than 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires that the attacker is an authenticated user with Contributor or higher privileges, and the payload will only execute if the target page contains a post that has at least one like. Consequently, the risk is primarily internal or from compromised contributor accounts, and the potential impact is significant only if such an account is accessible to malicious actors.

Generated by OpenCVE AI on March 17, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP ULike plugin to version 5.0.2 or newer.
  • If an immediate update is not possible, remove the `[wp_ulike_likers_box]` shortcode from posts or replace it with a sanitized version that strips non‑allowed tags.
  • Restrict Contributor or higher privileges to trusted users, or use a role‑management plugin to limit write access and reduce the attack surface.
  • After applying a patch or removal, clear any previously stored malicious payloads from the database to ensure no residual XSS remains.
  • Monitor site logs for any unusual script execution or repeated XSS attempts to detect potential exploitation attempts.

Generated by OpenCVE AI on March 17, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Alimir
Alimir wp Ulike – Like & Dislike Buttons For Engagement And Feedback
Wordpress
Wordpress wordpress
Vendors & Products Alimir
Alimir wp Ulike – Like & Dislike Buttons For Engagement And Feedback
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all versions up to, and including, 5.0.1. This is due to the use of `html_entity_decode()` on shortcode attributes without subsequent output sanitization, which effectively bypasses WordPress's `wp_kses_post()` content filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The post must have at least one like for the XSS to render.
Title WP ULike <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Alimir Wp Ulike – Like & Dislike Buttons For Engagement And Feedback
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T15:39:46.227Z

Reserved: 2026-02-11T17:02:48.061Z

Link: CVE-2026-2358

cve-icon Vulnrichment

Updated: 2026-03-11T15:39:20.925Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T06:17:14.033

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-2358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:51Z

Weaknesses