Executive Summary

The WP ULike plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 5.0.1. This vulnerability arises from the `[wp_ulike_likers_box]` shortcode's `template` attribute, which uses the PHP function `html_entity_decode()` on shortcode attributes without properly sanitizing the output afterward. This bypasses WordPress's usual content filtering (`wp_kses_post()`), allowing authenticated users with Contributor-level access or higher to inject arbitrary web scripts into pages.

When a user visits a page containing the injected script, the malicious code executes in their browser. The vulnerability requires that the post has at least one like for the XSS payload to render.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows authenticated users with Contributor-level access or above to inject malicious scripts into WordPress pages via the `[wp_ulike_likers_box]` shortcode's `template` attribute. These scripts execute in the browsers of any users who view the affected pages.

• Execution of arbitrary JavaScript code in users' browsers.
• Potential theft of user session cookies or credentials.
• Defacement or manipulation of website content.
• Redirection of users to malicious websites.
• Compromise of user data confidentiality and integrity.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves Stored Cross-Site Scripting (XSS) via the `[wp_ulike_likers_box]` shortcode's `template` attribute in the WP ULike plugin versions up to 5.0.1. Detection involves identifying posts or pages that include this shortcode with a crafted `template` attribute that bypasses sanitization."}, {'type': 'paragraph', 'content': 'Since the vulnerability requires an authenticated user with Contributor-level access or higher to inject malicious scripts, and the post must have at least one like for the XSS to render, detection can focus on scanning content for suspicious shortcode usage and monitoring user inputs.'}, {'type': 'paragraph', 'content': 'Suggested detection commands or methods include:'}, {'type': 'list_item', 'content': 'Search the WordPress database for posts containing the `[wp_ulike_likers_box]` shortcode with a `template` attribute. For example, using WP-CLI or direct SQL queries:'}, {'type': 'list_item', 'content': 'WP-CLI command to search post content for the vulnerable shortcode usage:\n`wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE \'%[wp_ulike_likers_box%template=%\'"`'}, {'type': 'list_item', 'content': 'Look for unusual or suspicious HTML or JavaScript code inside the `template` attribute values.'}, {'type': 'list_item', 'content': 'Monitor web server logs or application logs for unexpected script execution or injection attempts related to the shortcode.'}, {'type': 'list_item', 'content': 'Use security scanning tools or plugins that detect stored XSS vulnerabilities in WordPress content.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the WP ULike plugin to version 5.0.2 or later, where the vulnerability has been fixed by properly sanitizing the `template` attribute in the `[wp_ulike_likers_box]` shortcode.

Additional immediate steps include:

• Restrict Contributor-level and higher user access temporarily if possible, to prevent exploitation by authenticated users.
• Audit existing posts and pages for the presence of the vulnerable shortcode with malicious `template` attributes and remove or sanitize them.
• Clear any cached pages or objects that might serve the injected scripts, especially if using caching plugins or hosting with cache layers (e.g., Kinsta cache purge support introduced in version 5.0.2).
• Implement or enhance Web Application Firewall (WAF) rules to detect and block attempts to exploit this vulnerability.

Overall, updating the plugin to version 5.0.2 or newer is the most effective and recommended mitigation.

Useful 0 Not Useful 0