Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-22
CVE-2026-2358 - WP ULike – Like & Dislike Buttons for Engagement and Feedback Plugin
The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all versions up to, and including, 5.0.1. This is due to the use of `html_entity_decode()` on shortcode attributes without subsequent output sanitization, which effectively bypasses WordPress's `wp_kses_post()` content filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The post must have at least one like for the XSS to render.
PLUGIN
WP ULike – Like & Dislike Buttons for Engagement and Feedback
CVE-2026-2358
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0909 - WP ULike – Like & Dislike Buttons for Engagement and Feedback Plugin
The WP ULike plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.8.3.1. This is due to the `wp_ulike_delete_history_api` AJAX action not verifying that the log entry being deleted belongs to the current user. This makes it possible for authenticated attackers, with Subscriber-level access and above (granted the 'stats' capability is assigned to their role), to delete arbitrary log entries belonging to other users via the 'id' parameter.
PLUGIN
WP ULike – Like & Dislike Buttons for Engagement and Feedback
CVE-2026-0909
Risk Score