{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14129", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T17:01:22.711Z", "datePublished": "2025-12-12T03:20:42.069Z", "dateUpdated": "2026-04-08T16:42:30.399Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:30.399Z"}, "affected": [{"vendor": "wasiul99", "product": "Like DisLike Voting", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Like DisLike Voting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Like DisLike Voting <= 1.0.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25dfa483-26c6-43d1-9a24-9ea245b54f4c?source=cve"}, {"url": "https://wordpress.org/plugins/like-dislike-voting/"}, {"url": "https://plugins.trac.wordpress.org/browser/like-dislike-voting/trunk/files/function.php#L76"}, {"url": "https://plugins.trac.wordpress.org/browser/like-dislike-voting/tags/1.0.1/files/function.php#L76"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "timeline": [{"time": "2025-12-11T14:23:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T18:07:34.894762Z", "id": "CVE-2025-14129", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:16:34.167Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14129", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T18:07:34.894762Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:07:37.959Z"}}], "cna": {"title": "Like DisLike Voting <= 1.0.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']", "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wasiul99", "product": "Like DisLike Voting", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T14:23:07.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25dfa483-26c6-43d1-9a24-9ea245b54f4c?source=cve"}, {"url": "https://wordpress.org/plugins/like-dislike-voting/"}, {"url": "https://plugins.trac.wordpress.org/browser/like-dislike-voting/trunk/files/function.php#L76"}, {"url": "https://plugins.trac.wordpress.org/browser/like-dislike-voting/tags/1.0.1/files/function.php#L76"}], "descriptions": [{"lang": "en", "value": "The Like DisLike Voting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-12T03:20:42.069Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14129", "state": "PUBLISHED", "dateUpdated": "2025-12-15T18:16:34.167Z", "dateReserved": "2025-12-05T17:01:22.711Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:42.069Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Like DisLike Voting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "id": "CVE-2025-14129", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:47.553", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/like-dislike-voting/tags/1.0.1/files/function.php#L76"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/like-dislike-voting/trunk/files/function.php#L76"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/like-dislike-voting/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25dfa483-26c6-43d1-9a24-9ea245b54f4c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:14:39.955202+00:00", "value": {"mitigation_remediation": ["Upgrade the Like DisLike Voting plugin to the latest release that removes the use of $SERVER['PHP_SELF'] or applies proper output escaping.", "If an update is not possible, immediately disable or uninstall the plugin to eliminate the malicious input vector.", "As a temporary measure, apply input validation to sanitize $SERVER['PHP_SELF'] or implement a custom filter that encodes the value before output, and consider adding a web\u2011application\u2011firewall rule to block common reflected XSS payloads."], "summary": {"action": "Update Plugin", "impact": "Reflected Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the Like DisLike Voting plugin from vendor wasiul99 that use version 1.0.1 or earlier are affected. This includes any WordPress site that has not upgraded beyond these releases.", "description_and_impact": "The Like DisLike Voting plugin for WordPress is vulnerable to Reflected Cross\u2011Site Scripting due to the use of the unescaped $SERVER['PHP_SELF'] variable. A malicious user can inject arbitrary JavaScript into a page that is displayed when another user follows a crafted link. This allows the attacker to execute code in the victim\u2019s browser, which can lead to theft of session cookies, defacement of the site, or malicious redirects, thereby compromising the confidentiality and integrity of user data.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity, and the EPSS score of less than 1\u202f% suggests a low probability of automated exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger it remotely by tricking a user into visiting a specially crafted URL; no authentication or elevated privileges are required. The impact is limited to the surface area of the victim\u2019s browser session, but widespread, unsanitized cross\u2011site scripting can disrupt user experience and erode trust."}}}}, "created": "2025-12-12T08:47:54.420702+00:00", "updated": "2026-04-22T16:15:21.795132+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}