PT-2026-5769 · Alimir · Wp Ulike – Engagement Analytics & Interactive Buttons To Understand Your Audience

Pouria Shahba

Published

2026-02-03

Updated

2026-02-03

CVE-2026-0909

CVSS v3.1

5.3

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

The WP ULike plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.8.3.1. This is due to the

wp ulike delete history api

AJAX action not verifying that the log entry being deleted belongs to the current user. This makes it possible for authenticated attackers, with Subscriber-level access and above (granted the 'stats' capability is assigned to their role), to delete arbitrary log entries belonging to other users via the 'id' parameter.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2026-0909

Affected Products

Wp Ulike – Engagement Analytics & Interactive Buttons To Understand Your Audience

CVE-2026-0909

Weakness Enumeration

Related Identifiers

Affected Products

References · 5