CVE-2026-2358
Received Received - Intake
Stored XSS in WP ULike Plugin via Shortcode Attribute

Publication date: 2026-03-11

Last updated on: 2026-03-11

Assigner: Wordfence

Description
The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all versions up to, and including, 5.0.1. This is due to the use of `html_entity_decode()` on shortcode attributes without subsequent output sanitization, which effectively bypasses WordPress's `wp_kses_post()` content filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The post must have at least one like for the XSS to render.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-11
Generated
2026-05-07
AI Q&A
2026-03-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2358
EUVD
EUVD-2026-11089
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
technowich wp_ulike 5.0.1
technowich wp_ulike to 5.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The WP ULike plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 5.0.1. This vulnerability arises from the `[wp_ulike_likers_box]` shortcode's `template` attribute, which uses the PHP function `html_entity_decode()` on shortcode attributes without properly sanitizing the output afterward. This bypasses WordPress's usual content filtering (`wp_kses_post()`), allowing authenticated users with Contributor-level access or higher to inject arbitrary web scripts into pages.

When a user visits a page containing the injected script, the malicious code executes in their browser. The vulnerability requires that the post has at least one like for the XSS payload to render.


How can this vulnerability impact me? :

This vulnerability allows authenticated users with Contributor-level access or above to inject malicious scripts into WordPress pages via the `[wp_ulike_likers_box]` shortcode's `template` attribute. These scripts execute in the browsers of any users who view the affected pages.

  • Execution of arbitrary JavaScript code in users' browsers.
  • Potential theft of user session cookies or credentials.
  • Defacement or manipulation of website content.
  • Redirection of users to malicious websites.
  • Compromise of user data confidentiality and integrity.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': "This vulnerability involves Stored Cross-Site Scripting (XSS) via the `[wp_ulike_likers_box]` shortcode's `template` attribute in the WP ULike plugin versions up to 5.0.1. Detection involves identifying posts or pages that include this shortcode with a crafted `template` attribute that bypasses sanitization."}, {'type': 'paragraph', 'content': 'Since the vulnerability requires an authenticated user with Contributor-level access or higher to inject malicious scripts, and the post must have at least one like for the XSS to render, detection can focus on scanning content for suspicious shortcode usage and monitoring user inputs.'}, {'type': 'paragraph', 'content': 'Suggested detection commands or methods include:'}, {'type': 'list_item', 'content': 'Search the WordPress database for posts containing the `[wp_ulike_likers_box]` shortcode with a `template` attribute. For example, using WP-CLI or direct SQL queries:'}, {'type': 'list_item', 'content': 'WP-CLI command to search post content for the vulnerable shortcode usage:\n`wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE \'%[wp_ulike_likers_box%template=%\'"`'}, {'type': 'list_item', 'content': 'Look for unusual or suspicious HTML or JavaScript code inside the `template` attribute values.'}, {'type': 'list_item', 'content': 'Monitor web server logs or application logs for unexpected script execution or injection attempts related to the shortcode.'}, {'type': 'list_item', 'content': 'Use security scanning tools or plugins that detect stored XSS vulnerabilities in WordPress content.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to update the WP ULike plugin to version 5.0.2 or later, where the vulnerability has been fixed by properly sanitizing the `template` attribute in the `[wp_ulike_likers_box]` shortcode.

Additional immediate steps include:

  • Restrict Contributor-level and higher user access temporarily if possible, to prevent exploitation by authenticated users.
  • Audit existing posts and pages for the presence of the vulnerable shortcode with malicious `template` attributes and remove or sanitize them.
  • Clear any cached pages or objects that might serve the injected scripts, especially if using caching plugins or hosting with cache layers (e.g., Kinsta cache purge support introduced in version 5.0.2).
  • Implement or enhance Web Application Firewall (WAF) rules to detect and block attempts to exploit this vulnerability.

Overall, updating the plugin to version 5.0.2 or newer is the most effective and recommended mitigation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart