{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14130", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T17:03:54.463Z", "datePublished": "2026-01-07T09:20:56.673Z", "dateUpdated": "2026-04-08T16:54:50.152Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:50.152Z"}, "affected": [{"vendor": "cuvixsystem", "product": "Post Like Dislike", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post Like Dislike plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Post Like Dislike <= 1.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/598529d2-16c7-4bbd-9321-aa338c94eb36?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-like-dislike/trunk/post-like-dislike.php#L106"}, {"url": "https://plugins.trac.wordpress.org/browser/post-like-dislike/tags/1.0/post-like-dislike.php#L106"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "timeline": [{"time": "2026-01-06T20:32:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T14:57:34.650486Z", "id": "CVE-2025-14130", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T14:59:17.396Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14130", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T14:57:34.650486Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T14:59:11.496Z"}}], "cna": {"title": "Post Like Dislike <= 1.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']", "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "cuvixsystem", "product": "Post Like Dislike", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-06T20:32:25.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/598529d2-16c7-4bbd-9321-aa338c94eb36?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-like-dislike/trunk/post-like-dislike.php#L106"}, {"url": "https://plugins.trac.wordpress.org/browser/post-like-dislike/tags/1.0/post-like-dislike.php#L106"}], "descriptions": [{"lang": "en", "value": "The Post Like Dislike plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-07T09:20:56.673Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14130", "state": "PUBLISHED", "dateUpdated": "2026-01-07T14:59:17.396Z", "dateReserved": "2025-12-05T17:03:54.463Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T09:20:56.673Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Post Like Dislike plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Post Like Dislike para WordPress es vulnerable a cross-site scripting reflejado a trav\u00e9s de la variable `$_SERVER['PHP_SELF']` en todas las versiones hasta la 1.0, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar a un usuario para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-14130", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:53.663", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/post-like-dislike/tags/1.0/post-like-dislike.php#L106"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/post-like-dislike/trunk/post-like-dislike.php#L106"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/598529d2-16c7-4bbd-9321-aa338c94eb36?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:42:04.367159+00:00", "value": {"mitigation_remediation": ["Upgrade Post\u00a0Like\u00a0Dislike to the latest version that implements proper input sanitization and output escaping.", "If an update is not yet available, disable or uninstall the plugin to remove the attack surface.", "For temporary protection, replace the unsanitized $_SERVER['PHP_SELF'] usage with a safe function such as wp_unslash or sanitize_text_field before outputting it."], "summary": {"action": "Update Plugin", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin \"Post Like Dislike\" from vendor cuvixsystem. All released versions up to and including 1.0 are impacted; newer releases beyond 1.0 are presumed patched. Sites running the plugin are at risk regardless of user privileges, since unauthenticated users can trigger the XSS by visiting a malicious link.", "description_and_impact": "The Post Like Dislike plugin contains a reflected Cross\u2011Site Scripting flaw that allows an attacker to inject malicious JavaScript into pages served by the plugin. The flaw originates from unsanitized and unescaped use of the $_SERVER['PHP_SELF'] variable. When a crafted URL containing a payload is visited, the script is executed in the victim's browser, enabling attackers to steal session data, deface content, or perform phishing attacks. This vulnerability is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS base score is 6.1, indicating a medium level of severity. The exploit probability according to EPSS is below 1\u202f%, suggesting that the flaw is rarely targeted in the wild. It is not listed in CISA\u2019s KEV catalog. Successful exploitation requires an attacker to embed a malicious script into a URL that the victim follows, which typically demands social\u2011engineering or a malicious advertisement. Because the vulnerability is reflected, no local state is altered and the impact is limited to the victim\u2019s browser session."}}}}, "created": "2026-01-08T09:49:56.996632+00:00", "updated": "2026-04-21T16:45:15.218090+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}