CVE-2026-0909

Name of the Vulnerable Software and Affected Versions WP ULike versions prior to 4.8.3.1

Description The WP ULike plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. The wp ulike delete history api AJAX action does not confirm ownership of the log entry before allowing deletion. This allows authenticated attackers with Subscriber-level access or higher, possessing the 'stats' capability, to delete arbitrary log entries belonging to other users by manipulating the id parameter.

Recommendations Update WP ULike to version 4.8.3.1 or later.