{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2358", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-11T17:02:48.061Z", "datePublished": "2026-03-11T05:27:16.708Z", "dateUpdated": "2026-04-08T17:01:12.206Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:12.206Z"}, "affected": [{"vendor": "alimir", "product": "WP ULike \u2013 Like & Dislike Buttons for Engagement and Feedback", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all versions up to, and including, 5.0.1. This is due to the use of `html_entity_decode()` on shortcode attributes without subsequent output sanitization, which effectively bypasses WordPress's `wp_kses_post()` content filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The post must have at least one like for the XSS to render."}], "title": "WP ULike <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74a7db23-f91c-452b-bc24-58fda69caf17?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/hooks/shortcodes.php#L209"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/functions/utilities.php#L251"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/functions/utilities.php#L226"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/functions/general.php#L375"}, {"url": "https://github.com/Alimir/wp-ulike/commit/3dcce696ea251b3733448332cc167e03b2a17c12"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3475381%40wp-ulike%2Ftrunk&old=3457255%40wp-ulike%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Qu\u1ed1c Huy"}], "timeline": [{"time": "2026-02-11T17:18:19.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-10T17:08:30.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2358", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:37:09.055704Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:39:46.227Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2358", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:37:09.055704Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:39:20.925Z"}}], "cna": {"title": "WP ULike <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Qu\u1ed1c Huy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "alimir", "product": "WP ULike \u2013 Like & Dislike Buttons for Engagement and Feedback", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-11T17:18:19.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-10T17:08:30.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74a7db23-f91c-452b-bc24-58fda69caf17?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/hooks/shortcodes.php#L209"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/functions/utilities.php#L251"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/functions/utilities.php#L226"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/functions/general.php#L375"}, {"url": "https://github.com/Alimir/wp-ulike/commit/3dcce696ea251b3733448332cc167e03b2a17c12"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3475381%40wp-ulike%2Ftrunk&old=3457255%40wp-ulike%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all versions up to, and including, 5.0.1. This is due to the use of `html_entity_decode()` on shortcode attributes without subsequent output sanitization, which effectively bypasses WordPress's `wp_kses_post()` content filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The post must have at least one like for the XSS to render."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:12.206Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2358", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:01:12.206Z", "dateReserved": "2026-02-11T17:02:48.061Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-11T05:27:16.708Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all versions up to, and including, 5.0.1. This is due to the use of `html_entity_decode()` on shortcode attributes without subsequent output sanitization, which effectively bypasses WordPress's `wp_kses_post()` content filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The post must have at least one like for the XSS to render."}, {"lang": "es", "value": "El plugin WP ULike para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del atributo 'template' del shortcode '[wp_ulike_likers_box]' en todas las versiones hasta la 5.0.1, inclusive. Esto se debe al uso de 'html_entity_decode()' en los atributos del shortcode sin una posterior sanitizaci\u00f3n de la salida, lo que efectivamente omite el filtrado de contenido 'wp_kses_post()' de WordPress. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. La publicaci\u00f3n debe tener al menos un 'me gusta' para que el XSS se renderice."}], "id": "CVE-2026-2358", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-11T06:17:14.033", "references": [{"source": "security@wordfence.com", "url": "https://github.com/Alimir/wp-ulike/commit/3dcce696ea251b3733448332cc167e03b2a17c12"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/functions/general.php#L375"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/functions/utilities.php#L226"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/functions/utilities.php#L251"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/hooks/shortcodes.php#L209"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3475381%40wp-ulike%2Ftrunk&old=3457255%40wp-ulike%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74a7db23-f91c-452b-bc24-58fda69caf17?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP ULike \u2013 Like & Dislike Buttons for Engagement and Feedback", "source": "cna", "vendor": "alimir"}, "product": "wp_ulike_\u2013_like_&_dislike_buttons_for_engagement_and_feedback", "vendor": "alimir"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T15:13:23.692214+00:00", "value": {"mitigation_remediation": ["Update the WP\u202fULike plugin to version\u202f5.0.2 or newer.", "If an immediate update is not possible, remove the `[wp_ulike_likers_box]` shortcode from posts or replace it with a sanitized version that strips non\u2011allowed tags.", "Restrict Contributor or higher privileges to trusted users, or use a role\u2011management plugin to limit write access and reduce the attack surface.", "After applying a patch or removal, clear any previously stored malicious payloads from the database to ensure no residual XSS remains.", "Monitor site logs for any unusual script execution or repeated XSS attempts to detect potential exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the WP ULike plugin from vendor alimir, specifically all versions up to and including 5.0.1. WordPress sites that have the plugin activated and employ the `[wp_ulike_likers_box]` shortcode in any page or post are at risk.\n\n", "description_and_impact": "Key detail from vendor description: the WP ULike plugin for WordPress contains a stored cross\u2011site scripting vulnerability in the `[wp_ulike_likers_box]` shortcode `template` attribute. The plugin applies `html_entity_decode()` to shortcode attributes without performing subsequent output sanitization, effectively bypassing WordPress\u2019s default `wp_kses_post()` content filtering. This flaw allows authenticated attackers with Contributor\u2011level access or higher to inject arbitrary JavaScript that will run whenever a page containing a post with at least one like is viewed by any user, directly affecting confidentiality, integrity, and availability of the site\u2019s front\u2011end.\n\n", "risk_and_exploitability": "The CVSS score for this issue is 6.4, indicating medium severity. The EPSS score is less than 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires that the attacker is an authenticated user with Contributor or higher privileges, and the payload will only execute if the target page contains a post that has at least one like. Consequently, the risk is primarily internal or from compromised contributor accounts, and the potential impact is significant only if such an account is accessible to malicious actors.\n\n"}}}}, "created": "2026-03-11T11:37:54.168379+00:00", "updated": "2026-03-20T14:37:51.903195+00:00", "vendors": ["alimir", "alimir$PRODUCT$wp_ulike_\u2013_like_&_dislike_buttons_for_engagement_and_feedback", "wordpress", "wordpress$PRODUCT$wordpress"]}