{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12404", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-28T14:32:51.804Z", "datePublished": "2025-11-18T08:27:32.530Z", "dateUpdated": "2026-04-08T16:58:54.936Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:54.936Z"}, "affected": [{"vendor": "nikolayyordanov", "product": "Like-it", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Like-it plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the likeit_conf() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Like-it <= 2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ad1d9f5-c224-4d28-8d73-439b3c5ca24f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/like-it.php#L130"}, {"url": "https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/like-it.php#L131"}, {"url": "https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/tpl/config.php#L37"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-11-17T20:15:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-18T14:59:14.864417Z", "id": "CVE-2025-12404", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T14:59:31.952Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12404", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-18T14:59:14.864417Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T14:59:22.273Z"}}], "cna": {"title": "Like-it <= 2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "nikolayyordanov", "product": "Like-it", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-17T20:15:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ad1d9f5-c224-4d28-8d73-439b3c5ca24f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/like-it.php#L130"}, {"url": "https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/like-it.php#L131"}, {"url": "https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/tpl/config.php#L37"}], "descriptions": [{"lang": "en", "value": "The Like-it plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the likeit_conf() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:54.936Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12404", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:58:54.936Z", "dateReserved": "2025-10-28T14:32:51.804Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-18T08:27:32.530Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Like-it plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the likeit_conf() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-12404", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-18T09:15:48.113", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/like-it.php#L130"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/like-it.php#L131"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/tpl/config.php#L37"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ad1d9f5-c224-4d28-8d73-439b3c5ca24f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T11:44:09.398169+00:00", "value": {"mitigation_remediation": ["Upgrade the Like\u2011it plugin to the latest released version that contains the nonce fix \u2013 any release beyond 2.2 removes the vulnerability.", "Implement a Web Application Firewall or host\u2011level rule that blocks or alerts on unexpected modifications to plugin configuration settings, or specifically blocks POST requests to the likeit_conf() endpoint without a valid nonce.", "Ensure site administrators use multi\u2011factor authentication and practice strict link review to reduce the chance an attacker can induce a CSRF request."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting via CSRF"}, "threat_synthesis": {"affected_systems": "WordPress installations running the Like\u2011it plugin version 2.2 or older. The plugin, developed by nikolayyordanov, is available in the WordPress plugin repository. Administrators of sites hosting any of these releases are at risk.", "description_and_impact": "The Like\u2011it WordPress plugin suffers from a missing nonce check in the likeit_conf() handler, enabling a Cross\u2011Site Request Forgery that lets an unauthenticated attacker change plugin settings and inject a malicious script that is stored for later display. The attack, identified as CWE\u2011352, effectively gives the attacker the ability to execute arbitrary JavaScript in the context of the site\u2019s visitors when the destroyed settings are rendered, allowing defacement, credential theft, or further exploitation of the host.\n\nThis flaw is present in every version of Like\u2011it up to and including 2.2, affecting WordPress sites that have installed or upgraded to these releases. The plugin is maintained by nikolayyordanov and can be identified in the WordPress plugin base, with the vulnerable function located in like\u2011it.php around line 130\u2013131 as noted in the plugin source.\n\nThe risk profile reflects a medium CVSS score of 6.1, but the EPSS score of <1\u202f% suggests that widespread exploitation is unlikely at the moment, and the issue is not currently listed in CISA\u2019s KEV database. Nevertheless, the administrative interface must be used carefully: an attacker must trick a site administrator into clicking a crafted link or form submission, after which the CSRF bypass permits the settings overwrite and insertion of a persistent XSS payload. The exploit does not require credentials and has no direct impact on the WordPress core, but it does open the site to arbitrary JavaScript execution by anyone viewing the affected settings.", "risk_and_exploitability": "Due to the missing nonce validation, an attacker can form a request to the likeit_conf() endpoint and, using a link that an admin might click, change configuration settings and persist a malicious script. The exploit relies on social engineering to get the administrator to trigger the request; it does not require any authentication or advanced privilege. The CVSS score of 6.1 indicates a medium severity, and the EPSS of <1\u202f% indicates low probability of large\u2011scale exploitation, but the flaw is public and could be used for targeted attacks."}}}}, "created": "2025-11-18T14:15:48.736456+00:00", "updated": "2026-04-22T12:00:05.914654+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}